A quick summary of background. I have a few IP cameras that I access via VPN into my home LAN via my Vigor 2860. I have firewall rules to limit what internet connectivity the cameras have themselves (just for peace of mind).

My intention is for the cameras themselves to only access DNS (to resolve NTP), NTP (to get accurate time) and SMTP for any critical alerts.

The filter rules are are follows:

1. Start with a complete block

LAN/DMZ/RT/VPN -> WAN
Source: Range of my IP cams by IP
Destination: Any
Service type: Any
Action: Block if no further match

2. Open Google DNS
LAN/DMZ/RT/VPN -> WAN
Source: Any
Destination: 8.8.8.8
Service type: Any
Action: Pass immediately

3. Open NTP
LAN/DMZ/RT/VPN -> WAN
Source: Any
Destination: Any
Service type: UDP:123
Action: Pass immediately

So far so good. Testing the with the NTP for example, if I un-check rule three and try an NTP refresh on a cam, it fails. I can see the traffic blocked in the Firewall syslog on the Vigor 2860. If I enable rule three, it works, as intended.

However what I don't understand is that with the rules ending there, the camera can send SMTP email using TLS on port 587. How is this possible given the three rules I have configured?

Any guidance/explanation appreciated.

Is the SMTP server located on the local network or on the Internet? If it's on the LAN, the SMTP doesn't go through the router (gateway) so the firewall can't be applied to that traffic - unless you put the cameras on their own VLAN and configure LAN > LAN Firewall Filter rules to limit what can go between the LAN and camera VLANs.

Internet SMTP, hence my confusion.

May Help.

In this situation I would go into Firewall/General Setup and on the Default Rule Page, Set Filter to Pass, Put a Tick in Syslog and Watch Firewall in Syslog to see if it shows why it is being passed.

Another mistake I have made in the past is forgetting to link Filter Sets, as in; at the bottom of the Filter Set Page, telling it to link to the next filter set.

May not be the instance from your post but worth looking at all the same.
John

Sheltons wrote: May Help.

In this situation I would go into Firewall/General Setup and on the Default Rule Page, Set Filter to Pass, Put a Tick in Syslog and Watch Firewall in Syslog to see if it shows why it is being passed.

Another mistake I have made in the past is forgetting to link Filter Sets, as in; at the bottom of the Filter Set Page, telling it to link to the next filter set.

May not be the instance from your post but worth looking at all the same.
John

Further to the above, you should be able to Rule 2 to Destination Port (Service Type) TCP/UDP 53 - I may be corrected but that should be the standard DNS Port.

Sheltons wrote: May Help.

In this situation I would go into Firewall/General Setup and on the Default Rule Page, Set Filter to Pass, Put a Tick in Syslog and Watch Firewall in Syslog to see if it shows why it is being passed.

Another mistake I have made in the past is forgetting to link Filter Sets, as in; at the bottom of the Filter Set Page, telling it to link to the next filter set.

May not be the instance from your post but worth looking at all the same.
John

Thanks for the suggestion. I tried this and no entry in the firewall syslog.