No announcement yet.

Mail Server Behind Firewall

  • Filter
  • Time
  • Show
Clear All
new posts

  • Mail Server Behind Firewall

    Hi, I am trying to get my mail server accessible from the outside.I am a little confused about the Filter Rules vs Firewall app but if I read and understood the Filter rules are using Pre-NAT data and are done by the OS and the Firewall app is post NAT. I have tried a bunt of different combo's but I am stuck

    I have the port forwarding setup. The IP alias is setup on the Interface and I have tested outbound access from the server is being Natt'd to the proper address.

    Click image for larger version

Name:	image.png
Views:	271
Size:	43.6 KB
ID:	395611

    I have setup a filter rule in Network -> Filter Rules

    Click image for larger version

Name:	image.png
Views:	95
Size:	41.8 KB
ID:	395612

    I have just been testing with port 25 so only have that rule..

    Click image for larger version

Name:	image.png
Views:	92
Size:	57.2 KB
ID:	395613
    I am clearly missing something basic.

    Thanks in advance for the assistance.

  • #2
    What is the third screen capture? Firewall app? You don't need rules in Filter or Firewall app if you don't have a block all rule.

    Remove the destination address in the port forward rule. It was cause issues since it is conflicting with destined local.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]


    • #3
      You can reduce the Port Forwarding down to just one rule by listing all the Ports in a comma-separated list (25, 143, 465, 993) and removing the "New Port" entry.

      Then I would remove the "Destined Local" rather than the "Destination Address" from the rule. jcoffin is right that these do cause a conflict (Destined Local means traffic targeting the Untangle server itself, which is not the case here). So the rules as written will never forward ANY traffic. But it seems like you have multiple external addresses (base matches instead of and need to be sure only traffic for the one address is forwarded to the server. So for these rules I would only use Destination Address and Destination Ports. Maybe protocol, but I might even leave that off.
      Last edited by jcoehoorn; 12-19-2022, 07:52 AM.
      Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty


      • #4
        Thanks guys, I will try these and let you know.

        Yes, Third screenshot is the firewall app.. Is there a best practice to use the Filter Rules vs the Firewall app or vice versa? Or both?


        • #5
          All is working as expected now.. Appreciate the quick response


          • #6
            Originally posted by Azure Doom View Post
            Is there a best practice to use the Filter Rules vs the Firewall app or vice versa?
            Always use Filter Rules when you can. They operate 'lower' in the device, at layer 3, and can save a bit of processing overhead. Whenever you're using layer-3 criteria (IP addresses, ports, protocols, interfaces), Filter Rules are the better choice.

            Firewall app Rules operate at layer 7, so they're a little 'later' in the processing pipeline. They're great if you want to do geoip blocking or firewall policy stuff based on layer 7 criteria (such as other NGFW apps' information, Active Directory group membership, &c.).
            Græme Ravenscroft • Technical Marketing Engineer
            ('gram', like the unit of measurement)
            How can we make Arista ETM products better?