I have a Sophos UTM with v9.712-13. I understand from Rule #2 in "rulz" that DNAT is evaluated before the firewall rules:
- the connection tracker (conntrack) first
- then Country Blocking
- then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab. The "All" service only includes TCP and UDP - none of the other IP protocols are included.
- then Intrusion Prevention (see the images below to see that IPS actually can happen in several places but happens only once!)
- then DNATs*
- […]
I added a rule to NAT to sinkhole everything coming from anywhere to a host group with the external interfaces to an invalid host:
WAN interfaces contains the external addresses, no networks – I read elsewhere that it's not evaluated properly:
But I still get logs from SMTP like this:
exim-in[9161]: 2022-10-29 15:14:58 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REDACTED" from="" to="@" size="0" reason="host_blacklist" extra="REDACTED blacklisted"
Could it be that exim is exempt from DNAT here for any reason? I already toggled all NAT rules and the SMTP forwarder to no effect.
This thread was automatically locked due to age.
