Mail server is installed on the network , need to block outgoing 25 but allowing this for the mail server?
Are these two rules enough to make sure nobody else except mail server can do port 25 out?
add action=drop chain=forward comment=
“Drop Non Mail Srv SMTP Out 25” dst-port=25 out-interface=ether2
protocol=udp src-address=!10.10.10.10
add action=drop chain=forward comment=
“Drop Non Mail Srv SMTP Out 25” dst-port=25 out-interface=ether2
protocol=tcp src-address=!10.10.10.10
If placed to a correct position in the chain, and if ether2 is your WAN interface, then yes. And the protocol=tcp one should be sufficient, I don’t think any SMTP server listens at UDP.
By saying “correct position” what it should be" If lets say default firewall configuration is used?
In the default firewall configuration, adding it to the end of the forward chain will do.
Thank you kindly!!!