Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Volker Bandke

Hello from Germany,

I am trying to wrap my brain aroud the following situation:

  1. I have a rule that allows access to an NTP server to anybody  (# 61, rule says ACCEPT, see below)
  2. I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below)
  3. I have placde the IP-Camera rule below the TIMESERVICES rule
  4. I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443.

Now, the "out interface " shows up empty - of course this is not covered by rule # 62.   What is really happening, or better, what is not happening (like traffic going to China)

With beste regards

Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to LuCar Toni

    Thank you!   This does explain the symptoms I‘ve been seeing, and I just confirmed tHat there are matching entries in the wegfeiltet ( I wonder what Autocorrect was thinking here, thIs should have been „webfilter“) log.  Anyhow, I still think the status „ALLOWED“ in the firewall log is misleading or even an error. Slight smile

    With best regards from Germany

    Volker

Children
  • 0 in reply to Volker Bandke

    Hello Volker,

    Adding to what has been mentioned in this post, if you do a conntrack on the console of the XG for this connection what does conntrack shows?

    What firmware version are you using?

    Regards,

  • 0 in reply to emmosophos

    Good morning Emmanuel,,

    I did conntrack -L -s 192.168.1.247 -d

    and got

     SFVH_SO01_SFOS 18.5.1 MR-1-Build326# conntrack -L -s 192.168.1.247 -d 47.112.127 .239                                                                             proto=tcp      proto-no=6 timeout=5 state=CLOSE_WAIT orig-src=192.168.1.247 orig -dst=47.112.127.239 orig-sport=35103 orig-dport=443 packets=4 bytes=216 reply-sr c=192.168.1.1 reply-dst=192.168.1.247 reply-sport=3128 reply-dport=35103 packets =3 bytes=132 [ASSURED] mark=0x8001 use=3 id=4304640 masterid=0 devin=Port1 devou t= nseid=0 ips=0 sslvpnid=0 webfltid=2 appfltid=0 icapid=0 policytype=1 fwid=62  natid=2 fw_action=0 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload= 0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=0 hb_src=0 hb_dst=0 f lags0=0x80020000208008 flags1=0x40040000048 flagvalues=3,15,21,41,55,67,70,94,10 6 catid=84 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:e0:6 7:2a:88:d8 src_mac=00:62:6e:58:85:94 startstamp=1634092152 microflow[0]=INVALID  microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=6 tls ruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=12 1 current_state[1]=121 vlan_id=0 inmark=0x0 brinindex=0 sessionid=484 sessionidr ev=47623 session_update_rev=0 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 p brid_dir1=0 conn_fp_id=NOT_OFFLOADED 

    The firmware is SFVH (SFOS 18.5.1 MR-1-Build326)   



    error correction
    [bearbeitet von: Volker Bandke um 2:52 AM (GMT -7) am 13 Oct 2021]
  • 0 in reply to Volker Bandke

    Thats the expected behavior. You see the proxy is intercepting this traffic by the port redirect to 3128. This is to give the user a block page in the end of the connection instead of just block the traffic. 

    From a user perspective, he will get a block page, not only a connection refused in browser.

  • 0 in reply to LuCar Toni

    Yes, I understood that part.  Of course, in this particular case the behavior is less than perfect Disappointed.   These are IP-Cameras, which are used in a surveillance system.  The rules are set up in such a way, that, except for port 123 for NTP requests, they may not reach out to the WAN..  of course, they try- using HTTPS to some website living in China.  And the camera couldn‘t care less it it gets sent a „blocked“ page Slight smile

    That‘s where my alarm bell starts ringing when I see „ALLOWED“ in the firewall log.  The message is at least misleading… 

  • +1 in reply to Volker Bandke

    Hello Volker,

    Thank you for the information. 

    As mentioned by Luca, this is currently expected, but I do agree that is misleading.

    Searching internally I found a case similar to yours, they’re still currently looking into it, and seeing what changes would need to be done in the architecture of the SFOS to fix this.

    Regards,

  • 0 in reply to emmosophos

    Good evening, Emmanuel,

    Thanks - knowing where the reefs and shallows  are allows me to circumvent them Slight smile. Not as good as no reefs at all, but a situation I can live with quite comfortably