Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 1359 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(RESOLVED) XG not blocking some sites - IPv6

rfcat_vk

Hi folks,

I have been investigating why my XG and my Sophos Home Premium intermittently block a specific URL on Apple devices when it should be blocked always..

I have been working with the Sophos Home team and they wll be glad to see the end of this little issue I hope.

his appears to me to be an issue for those running dual stack or IPv6 only sites.

I have a series of web filter based on default but with extra items, the same filter is sued in IP4 and IPv6 firewall rules.

Over the last couple if days I have broken my iPad, MBP and XG configurations and have had to do restore to the XG so I could explore what I thought was the answer or so I thought. Deeper investigation this morning with the IPv6 access blocked, the web site was either blocked by the XG or the Sophos Home, bingo, Allow the IPv6 access again and access to the offending site was restored.

The site is correctly classified, but the classification site does not appear to provide an IPv6 address to the searching applications. The sub-domains of the site are only IP4 and get blocked by both XG and Sophos Home.

Yes, I do know that the XG and Sophos home are seperate applications with different support team, but they use the the same reference databases along with Sophos end point etc.

Some food for thought for those of you not able to determine why some sites are blocked and others are not.

Ian

The issue is not helped by the lack of FQDNs in IPv6 firewall rules, so the rules are very open unless you want to load a large number of IP addresses.



This thread was automatically locked due to age.
  • 0

    Hi  

    Could you please share domain/URL details?

  • 0 in reply to Keyur

    Hi Keyur,

    okay the url is http www damplips com

    I have re-arranged my rule order in IPv6 and now I see blocks in the logs for IPv6 traffic which weren't there before, neither was there any allow. I am not sure my Apple IPv6 updates work anymore because they were higher up the search path, so without FQDN the Apple firewall rule does not work properly in IPv6.

    I also change the Apple allowed port list as recommended by Apple to use HTTP instead of 1:65535 80 and the HTTPS instead 1:65535 443 in both IP4 and IPv6 firewall rules, but not using the proxy because that stops Apple updates working. Yes, I understand the HTTP/S are just identities for the port range.

    Ian

    Currently being blocked for two days in a row which is a success, other firewall rules appear to ignored. Only time and more devices checking their internet connections will tell.

  • 0 in reply to rfcat_vk

    Update

    the site is blocked for two days in a row.

    Actins taken,

    Changed the DNS setup to use there ISP DNS as part of the DHCP WAN connection, interestingly some new and some old servers are provided. The DNS changes also allowed the Sophos Home to update and maintain updates.

    Changed order of firewall rules in IPv6 configuration.

    Removed HTTP from all rules with interesting side effects, suddenly all the sites I had been trying to identify now appear in firewall logs as failed/denied connections, both IP4 and IPv6. Strange.

    Slowly restored HTTP to firewall rules until I found the rule allowing the site out.

    I also found why I was having intermittent e-mail issues because again a new entry in the logviewer showing a new email server for my ISP. The server is not identified on the ISP website and does not show in the FQDN listing. No, it is not a scam site, it sits within the ISPs mail server range.

    I broke many things while testing and had to do a restore.

    What is still broken is Apple updates mail scanning.

    I would say the issue is resolved for yesterday and today. Roll on a better version of XG with increased security on IPv6.

    Ian

  • 0 in reply to rfcat_vk

    Hi  

    Thank you for sharing resolution and your expertise, it would be helpful to fellow community members. Much appreciated.