On Thu, Sep 25, 2025 at 10:27:52AM +0300, kasak wrote:
> Hello misc!
>
> I have opensmtpd smarthost on my router.
>
> It seems, some host on my lan network, sometimes send spam through my
> gateway (not through smarthost)
>
> and because of it, my ip get blacklisted.
>
> I want to deny using of 25 port from lan to wan. I need some advice here.
>
> This is my simplified pf.conf (i've cropped some variables, i think they are
> intuitive):
Not really. You have rules on "$ext_if", "em0" and "egress".
>
> ----
>
> block in on $ext_if
>
> pass in on $ext_if inet proto tcp from $admin to $ext_if port ssh
Are you really managing this router from the internet-facing side (not
necessarily a problem, just checking).
> pass in quick on em0 inet proto tcp to em0 port { smtp, www, https,
> submission }
Is em0 your LAN-facing interface?
"quick" here means that no further rules will be evaluated for packets
that match this. So there is no point on trying to block smtp from LAN
(assuming that's behind em0) later on.
> #Block 25 port from lan
This might work *as long as you remove quick from the previous rule*
block in quick on $lan_if proto tcp to !self port 25
> #block out quick on egress proto tcp from !self to any port 25
(uncommenting this would prevent your smarthost from forwarding messages
to their destination)
>
> #Enable NAT
> pass out on $ext_if inet from $newlan nat-to $ext_ip
> pass out on $ext_if inet from $guest_vpn to ! <mynets> received-on pppx
> nat-to $ext_ip
I'd put this on top of the ruleset. But that's more a matter of
personal taste. I get itchy about very general rules at the end of the
ruleset, since they might catch a lot more than you mean them to.
>
> ----
>
> Please have a look at the "#block 25 port from lan" string, unfortunate, it
> blocks all of mail traffic, including opensmtpd on self.
See above. Simply add "to !self"
>
> Maybe there is better solution?
>
--
