Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Volker Bandke

Hello from Germany,

I am trying to wrap my brain aroud the following situation:

  1. I have a rule that allows access to an NTP server to anybody  (# 61, rule says ACCEPT, see below)
  2. I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below)
  3. I have placde the IP-Camera rule below the TIMESERVICES rule
  4. I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443.

Now, the "out interface " shows up empty - of course this is not covered by rule # 62.   What is really happening, or better, what is not happening (like traffic going to China)

With beste regards

Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group



This thread was automatically locked due to age.
  • 0 in reply to Volker Bandke

    Thats the expected behavior. You see the proxy is intercepting this traffic by the port redirect to 3128. This is to give the user a block page in the end of the connection instead of just block the traffic. 

    From a user perspective, he will get a block page, not only a connection refused in browser.

  • 0 in reply to LuCar Toni

    Yes, I understood that part.  Of course, in this particular case the behavior is less than perfect Disappointed.   These are IP-Cameras, which are used in a surveillance system.  The rules are set up in such a way, that, except for port 123 for NTP requests, they may not reach out to the WAN..  of course, they try- using HTTPS to some website living in China.  And the camera couldn‘t care less it it gets sent a „blocked“ page Slight smile

    That‘s where my alarm bell starts ringing when I see „ALLOWED“ in the firewall log.  The message is at least misleading… 

  • +1 in reply to Volker Bandke

    Hello Volker,

    Thank you for the information. 

    As mentioned by Luca, this is currently expected, but I do agree that is misleading.

    Searching internally I found a case similar to yours, they’re still currently looking into it, and seeing what changes would need to be done in the architecture of the SFOS to fix this.

    Regards,

  • 0 in reply to emmosophos

    Good evening, Emmanuel,

    Thanks - knowing where the reefs and shallows  are allows me to circumvent them Slight smile. Not as good as no reefs at all, but a situation I can live with quite comfortably