Hi,
I try to allow a single host in my green network through the default SMTP block rule. I created an “allowed” rule above the block rule with source being the host, with destination to RED and port 25. I enabled logging and I see it gets hits. But as soon as I re-enable the default Any->RED:25/tcp rule the packets are blocked again.
I enabled logging on that default rule, but I don’t see it in logs.
Thanks,
Marcin.
This rule was added to stop spamers. Or networks that may have servers infected buy spam bots. I see no problem with your plan.
Hey,
Yes, I read the docs and I have nothing against the rule. But my approach doesn’t work, I spent some time trying, and I don’t know why. Currently I have the default rule disabled. I’d like to enable it for anything but the one host I have postfix on.
Thanks,
M
This should work. Please post the details of the first rule. (maybee there is a wrong setting that the rule not match)
Thanks for looking into it. Here it is:
BTW - is there a clean way to dump rule settings from CLI or other non-screenshot method?
Surely those rule hits are all ALLOW hits and not DROP hits as the firewall rule is an ALLOW rule.
try moving the rule down one spot. Maybe its doing it as “any” source-> deny will override any one host → allow directive on a port.
What is the default firewall settings?
This not work because the rule below reject all port25 traffic if this comes first it never reach the allow rule.
Try “any” as destination in your rule.
I’ve just tried moving DNAT rule that goes the other way before the SMTP block, but it doesn’t seem to change anything.
I also can’t see any hits on the default SMTP block rule in logs and I have the “log” checked. It would help to identify the source and destination being blocked.
Change your DNAT rule to Destination Firewall (RED).
Mine looks like:
Your allow rule must go above the block rule.
You can dump your firewall riles at the command line with:
iptables -nvL
iptables -nvL -t nat
Maximise your ssh session first to make it more readable.
Thanks @nickh - I was little shy of iptables because of the number of chains created. There seems to be a reason in them though 
BTW I find --list-rules much more readable than -L.
I tried to replicate your setup exactly (with service groups) and it doesn’t work too for me. I looked into created iptables entries, and the block rule creates entries in FORWARDFW, INPUTFW and OUTPUTFW chains. I don’t see in logs INPUT or OUTPUT being hit.
I cannot identify where exactly my traffic gets blocked. According to iptables, logs it just should work.
I am leaving the default rule disabled for now and I need to get things done at work before they fire me - I spent too much time on it 
An option to be able to put a custom log prefix for each rule could be helpful here Maybe a feature request…?
I may get back to this during the weekend.
Thanks all for the help!
I gave you two commands. In iptables there are three tables, filter, nat and mangle. Filter is default and does not need to be specified, but port forwarding manipulates the nat table (generally with a DNAT rule and sometimes an SNAT) as well as the FORWARD chain of the filter table so you have to look at that well. Have a look at Traversing of tables and chains for the traffic flow. It means the NAT PREROUTING rule can get hit before FORWARD rules irrespective of the rule ordering.
What you could do temporarily (for a few seconds) is disable the nat rule and see if your FORWARD rules suddenly work, but something looks a little different between our allow rules.
Do you have more than one WAN address?
I’ve read in the forum. That Mail serves need to SNAT to the correct firewall ip.
So the responding mail comes from the correct ip.
Mail servers are very proticular.
I do not run one. But perhaps this will lead you in the right direction.
Good luck. And Good day.
I host mail server for years. I have a single WAN IP. I deployed IPFire quite recently. Before I just ran DD-WRT on a stock router (until it died). It works just fine with that default rule disabled. I guess I keep running it out of a habit because I don’t use it much
I’ll put it on a CV if I’ll be changing my job 
me@marcin.*.
I think in your firewall rule it should be NAT and check the destination firewall button. Red.
I think there is something wrong with selecting host as a source or destination.
Because I had to put my device in a host group for a few firewall rules to work after version 189 on my system.