Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 5744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule allowing access to services/ports that are not 'allowed'?

shred

EDIT: Figured it out - I'm an idiot.

I basically had an 'Allow All' as my last firewall rule that applied to my entire local subnet. I was trying to specify only certain services for firewall rules above for specific devices on my network, but when you remove a Service that those devices need (like DNS), it will simply skip over that firewall rule and end up hitting the last 'Allow All' firewall rule. It got really confusing because my Log Viewer was showing traffic from my Macbook Air hitting the correct firewall rule, but when I ran the policy tester it was showing it using a different firewall rule, but that's exactly what was likely occurring since my Macbook Air was basically using different firewall rules depending on which service(s) it was trying to use.

Basically, if you're moving from an 'Allow All' approach to a 'Deny All' approach, you need to make sure you update your 'Allow All' rule so it only applies to the devices that need to use that rule and remove your local subnet so it doesn't become a "catch all" rule that passes anything that didn't apply to the firewall rules above it.

On a different note, now when I try to run the Policy Test tool, the results are always 'Blocked' and it's showing 'No Matched Rule (ID:0)', even though I'm testing it against IP address of devices that do have a firewall rule they're using to access the website I'm testing against (www.google.com). Any ideas what's causing that?



This thread was automatically locked due to age.
  • 0

    Hi shred,

    what does the MAC show as its DNS and if you run a ifconfig in the mac terminal widow what does that show. I can see everything but the DNS entry in mine, so must be another command to show DNS settings in a MAC.

    Also what you are saying is that the MAC is using another rule to get to the internet. Try disabling all rules and see what happens?

    Ian

  • 0 in reply to rfcat_vk

    You can see what DNS servers your MacOS device is using by going to Network Preferences -> Select your Connection -> 'Advanced' -> 'DNS' tab. My DNS servers are showing correctly (i.e. as I have configured in Sophos XG).

    Edit: Deleted the rest of the post (see post #1).

  • 0 in reply to shred

    Hi,

    the DNS setting you pointed out do not always show the correct settings, I was after the settings that show the actual DNS values the MAC is using at the time.

    If you are using the XG as a DNS you do not need to add a rule because the rule is to allow traffic through the firewall.

    Ian

    Further, have you enabled the XG to be a DNS eg in the network DNS settings.

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi,

    the DNS setting you pointed out do not always show the correct settings, I was after the settings that show the actual DNS values the MAC is using at the time.

    If you are using the XG as a DNS you do not need to add a rule because the rule is to allow traffic through the firewall.

    Ian

    Ah, I see. That's a good point about the DNS servers since clients on the network would be getting that information directly from Sophos XG via the local subnet. However, I'm seeing the same behavior for 'Ping' as well (ICMP protocol) and I'm still able to stop access to the DNS port (see above). I reset my DNS server to be obtained from my ISP and manually changed my DNS settings on my Macbook Air to 8.8.8.8 (Google's DNS server) to remove that variable though so I'll keep testing... this is very strange behavior though (see my updated post #2 above).