Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 28186 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to replicate UTM rule to redirect DNS, NTP to internal server?

JeffThompson

I'm trying to match my UTM9 setup on a text XG system.  Hit a blocker...

I have a forwarding rule in UTM which catches traffic to destination "Any IPv4" on the NTP & DNS ports and redirects it to the UTM's LAN address.  It's there to stop unecessary external connections from IoT devices and also to prevent people circumventing any restrictions I impose via DNS lookups.

I can't seem to make this work in XG - there's no "any" destination and trying to create it as (0.0.0.0/0.0.0.0) raises an error.  Can anyone advise how I can replicate my UTM rule?

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to sachingurung

    I'll try to post a screengrab or something later - can't access my UTM right now.

    The aim is to catch attempts to access external DNS services and redirect them to the UTM/XG's DNS service instead.  Same with NTP.

    Written down, the UTM rule would say this:

    - for traffic from LAN

    - using service DNS

    - going to Internet IPv4

    - change destination to UTM's LAN IP address

    Thanks!

  • +1 in reply to JeffThompson

    Hi Jeff,

    To replicate this, you need to create Non-HTTP Business Application rule that would supercede (top) the others with the following setup:

    -Source Zone: LAN

    -Allowed Client Networks: Any (Or a network definition of your subnet)

    -Destination Host/Network: Create an IP Range of 0.0.0.1-255.255.255.254

    -Forward type: Port/Port list (NTP & DNS/NTP/DNS)

    -Protocol: DNS can be both TCP and UDP, but is primarily UDP

    -Protected Server: Create an IP Host object for the internal IP Address of the XG

    -Mapped Port Type: Match the configuration of forwarding if it's not auto done for you

    -Protection zone: LAN

    Creating an IPS rule for DNS and NTP wouldn't hurt and you shouldn't need to rewrite source addressing and you won't need to create a reflexive rule.

    This should do it, hope that helps!

    Emile

  • 0 in reply to Emile Belcourt

    A bit more complex than UTM, then!  ;-)

     

    Thanks Emile, I appreciate your help.  I'll give that a go :-)

  • 0 in reply to JeffThompson

    Hi Jeff,

    Ha ha, it is a teensy bit because in the majority of cases the XG is combining multiple spread out systems on the UTM into one area which means some things get streamlined, others get complex, ha ha!

    If you have any problems, let us know and provide a screenshot of your rule set up and information from logs (if any) and we will see if we can resolve :)

    Emile

  • 0 in reply to Emile Belcourt

    I tried this and the XG Firewall gave me an error stating that "An IP range was used as the destination.  So an IP range is required for the Protected Server."  This makes no sense to me.  Why can't I redirect traffic heading to any IP to a single IP?

    I'm trying to redirect NTP requests to a server I've had to set up because the XG doesn't have an NTP server.  What a giant pain that is!

    So instead of an IP range in the destination, I used the internal IP address of the XG Firewall and port 123.  I forward this to the IP of my internal NTP server with the same port.  Not sure if this is working yet....

    Thanks.

  • 0 in reply to just4fun

     

    If it helps...  that's my NTP-catching rule in the image.  ntp.boolie.net is an internal linux box (well, a Raspberry Pi actually!) running ntpd.

     

    And yes, I agree it would be lovely to have ntp service back on the UTM, another thing we lost between UTM9 and XG.

  • 0 in reply to JeffThompson

    Thanks Jeff.

    I am sure that NTP server will be added soon inside the XG.

    Please vote the feature request:

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10813476-xg-as-ntp-server

    Thanks to all!

  • 0 in reply to JeffThompson

    Many thanks Jeff,

    My setup was nearly identical other than my Source was "LAN" and my Allowed Clients was also "LAN".  I've revised mine to match yours.  Fingers crossed...

     

  • 0 in reply to Emile Belcourt

    Emile, this idea is logical and it's fine for catching NTP traffic trying to hit the XG machine and redirecting that (as my screenshot shows) but it doesn't work for catching NTP or DNS going outside the LAN, which was the other part of the problem [:(]

    XG will not allow the protected server to be a single IP when the original destination is a range.

    When I did some more investigation, it seems that XG's UI insists - incorrectly - that the protected server must be an IP range with the same number of addresses as the original destination.  The message "Number of IP addresses in external IP range and modified IP range must match" pops up if one tries to set up something different.

    So presumably it could redirect a single address to another single address, or the whole internet to the whole internet (utterly pointless), but it cannot trap traffic to a range (e.g. the outside world) and redirect it to a single server as needed here.

    Any thoughts?  Mine are that this is a bug and it needs to be fixed!

    I see others have hit the same block: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/84813/business-application-rule---must-select-an-ip-range-for-protected-server-s-dnat-ntp

     

    ps - Sorry to be so long getting back to the second part of this - I had other stuff that needed attention more urgently.

  • 0 in reply to JeffThompson

    hi,

    Cd you please check attached configuration. I tried routing NTP traffic to public NTP server. It's not working. Could yo please help with this ?

    All i need is to forward the NTP requests to a public NTP server.

     

    Model: XG450 (SFOS 17.0.5 MR-5) 

    Rule Type:Business Application Rule