Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 28186 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to replicate UTM rule to redirect DNS, NTP to internal server?

JeffThompson

I'm trying to match my UTM9 setup on a text XG system.  Hit a blocker...

I have a forwarding rule in UTM which catches traffic to destination "Any IPv4" on the NTP & DNS ports and redirects it to the UTM's LAN address.  It's there to stop unecessary external connections from IoT devices and also to prevent people circumventing any restrictions I impose via DNS lookups.

I can't seem to make this work in XG - there's no "any" destination and trying to create it as (0.0.0.0/0.0.0.0) raises an error.  Can anyone advise how I can replicate my UTM rule?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Can you show us a picture of the configuration on UTM, I am not able to understand what exactly are you trying to explain?

    Thanks

  • 0 in reply to sachingurung

    I'll try to post a screengrab or something later - can't access my UTM right now.

    The aim is to catch attempts to access external DNS services and redirect them to the UTM/XG's DNS service instead.  Same with NTP.

    Written down, the UTM rule would say this:

    - for traffic from LAN

    - using service DNS

    - going to Internet IPv4

    - change destination to UTM's LAN IP address

    Thanks!

  • +1 in reply to JeffThompson

    Hi Jeff,

    To replicate this, you need to create Non-HTTP Business Application rule that would supercede (top) the others with the following setup:

    -Source Zone: LAN

    -Allowed Client Networks: Any (Or a network definition of your subnet)

    -Destination Host/Network: Create an IP Range of 0.0.0.1-255.255.255.254

    -Forward type: Port/Port list (NTP & DNS/NTP/DNS)

    -Protocol: DNS can be both TCP and UDP, but is primarily UDP

    -Protected Server: Create an IP Host object for the internal IP Address of the XG

    -Mapped Port Type: Match the configuration of forwarding if it's not auto done for you

    -Protection zone: LAN

    Creating an IPS rule for DNS and NTP wouldn't hurt and you shouldn't need to rewrite source addressing and you won't need to create a reflexive rule.

    This should do it, hope that helps!

    Emile

  • 0 in reply to Emile Belcourt

    A bit more complex than UTM, then!  ;-)

     

    Thanks Emile, I appreciate your help.  I'll give that a go :-)

  • 0 in reply to JeffThompson

    Hi Jeff,

    Ha ha, it is a teensy bit because in the majority of cases the XG is combining multiple spread out systems on the UTM into one area which means some things get streamlined, others get complex, ha ha!

    If you have any problems, let us know and provide a screenshot of your rule set up and information from logs (if any) and we will see if we can resolve :)

    Emile

  • 0 in reply to Emile Belcourt

    I tried this and the XG Firewall gave me an error stating that "An IP range was used as the destination.  So an IP range is required for the Protected Server."  This makes no sense to me.  Why can't I redirect traffic heading to any IP to a single IP?

    I'm trying to redirect NTP requests to a server I've had to set up because the XG doesn't have an NTP server.  What a giant pain that is!

    So instead of an IP range in the destination, I used the internal IP address of the XG Firewall and port 123.  I forward this to the IP of my internal NTP server with the same port.  Not sure if this is working yet....

    Thanks.

  • 0 in reply to just4fun

     

    If it helps...  that's my NTP-catching rule in the image.  ntp.boolie.net is an internal linux box (well, a Raspberry Pi actually!) running ntpd.

     

    And yes, I agree it would be lovely to have ntp service back on the UTM, another thing we lost between UTM9 and XG.

  • 0 in reply to JeffThompson

    Thanks Jeff.

    I am sure that NTP server will be added soon inside the XG.

    Please vote the feature request:

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10813476-xg-as-ntp-server

    Thanks to all!

  • 0 in reply to JeffThompson

    Many thanks Jeff,

    My setup was nearly identical other than my Source was "LAN" and my Allowed Clients was also "LAN".  I've revised mine to match yours.  Fingers crossed...

     

Reply Children
No Data