I have a Sophos UTM with v9.712-13. I understand from Rule #2 in "rulz" that DNAT is evaluated before the firewall rules:
the connection tracker (conntrack) first
then Country Blocking
then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab. The "All" service only includes TCP and UDP - none of the other IP protocols are included.
then Intrusion Prevention (see the images below to see that IPS actually can happen in several places but happens only once!)
I added a rule to NAT to sinkhole everything coming from anywhere to a host group with the external interfaces to an invalid host:
WAN interfaces contains the external addresses, no networks – I read elsewhere that it's not evaluated properly:
But I still get logs from SMTP like this:
exim-in: 2022-10-29 15:14:58 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REDACTED" from="" to="@" size="0" reason="host_blacklist" extra="REDACTED blacklisted"
Could it be that exim is exempt from DNAT here for any reason? I already toggled all NAT rules and the SMTP forwarder to no effect.
Hallo Luca and welcome to the UTM Community!
Do you see anything relevant in the Firewall log?
Cheers - Bob