Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 844 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to understand the rules, and why traffic is routing with a rule turned off?

MarkThornton

I am trying to understand how I am able to get traffic from my LAN to the DMZ when the firewall rule is OFF! Clearly I do not understand the XG rules and policies. I have attached an image below of what I see in the rules display, and from what I see there is nothing allowing traffic between the LAN and the DMZ. Before I go any further and create a bigger mess I need to know why. Where is this controlled and how am I supposed to read the displayed information so that I would know how the routing is occuring?



This thread was automatically locked due to age.
  • 0

    Hello Mark,

    Thank you for contacting the Sophos Community.

    What are rules #4 and #6?

    You can also use the Diagnostics or conntrack to double confirm what Firewall rule is being applied when the traffic is going from LAN to DMZ.

    Regards,

  • 0 in reply to emmosophos

    Rule #4 is the auto-added rule for the MTA traffic. Rule #6 is the default Drop All rule that was on the XG when I started it up.

    Rule #4:

    Rule #6:

  • 0 in reply to emmosophos

    Where am I supposed to see what is happening on the diagnostics page. All I see is the ping feature and it doesn't show up in the firewall log. Neither does a continuous ping from my desktop through the XG to the switch on the VLAN. Even when I enter the destination ip as a filter in the log nothing shows up. When I traceroute from my desktop it is clearly going through the XG to get to the switch on the VLAN. 

  • 0

    Your first two lines are groups that have three rules between them. Any of these three rules could be routing from LAN to DMZ. Just because you have Rule #5 turned off doesn't mean that rules #4, #6 , and #7 can't be routing, hence emmosophos' question. Your #6 screen capture is a mistake and doesn't show the details of  rule #6. Rule #4 appears to cover only SMTP traffic, but it is Any-Any so if you send SMTP traffic from your LAN to an address that the XG knows is in the DMZ, it will of course forward it.

    Rules #6 and #7 could also be Any-Any and if they don't otherwise narrow down their scope (port, time, etc) they'll route all traffic from LAN to DMZ if the destination address is known by the XG to be in the DMZ.

    If you know the source or the destination machine (or both), you can use packet capture with the appropriate filter to capture the packets you think should not be routing to the DMZ and then check which rule was routing them.

  • 0 in reply to MarkThornton

    Hello Mark,

    Thank you for the feedback.

    Sorry I thought I put the link for the KB on how to use the Packet Capture on the XG. 

    Regards,