25.09.2025 12:39, Zé Loff пишет:
On Thu, Sep 25, 2025 at 10:27:52AM +0300, kasak wrote:
Hello misc!
I have opensmtpd smarthost on my router.
It seems, some host on my lan network, sometimes send spam through my
gateway (not through smarthost)
and because of it, my ip get blacklisted.
I want to deny using of 25 port from lan to wan. I need some advice here.
This is my simplified pf.conf (i've cropped some variables, i think they are
intuitive):
Not really. You have rules on "$ext_if", "em0" and "egress".
sorry, my bad. forgot to eplain. But you got anyway.
----
block in on $ext_if
pass in on $ext_if inet proto tcp from $admin to $ext_if port ssh
Are you really managing this router from the internet-facing side (not
necessarily a problem, just checking).
just from one ip :) 99% of time, i'm on lan-facing side.
pass in quick on em0 inet proto tcp to em0 port { smtp, www, https,
submission }
Is em0 your LAN-facing interface?
"quick" here means that no further rules will be evaluated for packets
that match this. So there is no point on trying to block smtp from LAN
(assuming that's behind em0) later on.
em0 - wan
em1 - lan
#Block 25 port from lan
This might work *as long as you remove quick from the previous rule*
block in quick on $lan_if proto tcp to !self port 25
This works! Thanks!
#block out quick on egress proto tcp from !self to any port 25
(uncommenting this would prevent your smarthost from forwarding messages
to their destination)
Yep, that is what i got, and not able to understand why
#Enable NAT
pass out on $ext_if inet from $newlan nat-to $ext_ip
pass out on $ext_if inet from $guest_vpn to ! <mynets> received-on pppx
nat-to $ext_ip
I'd put this on top of the ruleset. But that's more a matter of
personal taste. I get itchy about very general rules at the end of the
ruleset, since they might catch a lot more than you mean them to.
----
Please have a look at the "#block 25 port from lan" string, unfortunate, it
blocks all of mail traffic, including opensmtpd on self.
See above. Simply add "to !self"
Maybe there is better solution?
