Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 7981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Not stopping OUTSIDE connections

Gavin na

I have a big problem the firewall is not stopping the outside world from using my proxy to resolve there internet requests

i have to create a rule on our mikrotic router in order to mitigate the flood of incoming requests, where on XG do we apply this

These are all my firewall rules:



This thread was automatically locked due to age.
  • 0

    Hi Gavin, 

    We would like to know more about your network layout . 

    Are you using XG as a Proxy Server ?

    for Proxy , is the system initiate the  connections to be regulated in LAN or WAN  ? (Although you cannot use XG as a Proxy for WAN connections )

    If you are referring to DOS settings then you may set them on 

    Intrusion Prevention> DOS & Spoof Protection > DoS Settings
     
     
     Thanks and regards
    Aditya Patel | Network and Security Engineer.

     

     

  • 0 in reply to Aditya Patel

    using XG SFOS 16.01.0

    as a gateway with 2 network cards Port1 192.168.0.6 Port2 192.168.69.10

    Port2 is feed by a mikrotik router with all requests to Port1 "for RDP sessions" which then get routed to internal network on the LAN

    DoS is turned on

    but for some reason the outside is using the XG like a proxy server to resolve their internet requests, i had to create a FORWARD / DROP rule on our mikrotik which has the main supply of internet

  • 0 in reply to Gavin na

    Hi Gavin,

    Are you using MPLS line ? , Since you have created WAN to LAN rule with Any services . This would not restrict any connection from WAN to communicate with LAN Network . If you wish to continue this setup then instead of Any service you may create a Service TCP:3389 and replace with ANY. 

    If wanted to configure Port Forwarding then you may need to create a Business rule instead of Network/user rule. 

    you may also create Rule on XG to block request but if you could specify the rule parameters with specifics then your issue should be resolved.

     

     

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Port forwarding isnt my problem...

    I have a cisco router with fiber which has a range of external IP at my disposal.

    Then it links to my microtik router which is "bonded" too 2 other internet services for failovers which then gives me a always on internet gateway of 192.168.0.1 and 192.168.69.1

    Now onto my XG, which has a DMZ zone of 192.168.69.10 -> gateway = 192.168.69.1 LAN zone on 192.168.0.6

    the microtik forwards ALL ports to 192.168.0.6, this is so that i can manage the port redirects on the XG

     

    Back to my problem, for some reason the XG allowed the outside world WWW to use the XG's proxy "3128" to resolve external requests, which flooded my connection and i want to know

    how to block this access, which i would have thought it had some default rule for this to be honest

     

    So back to microtik, i had to create a rule "forward chain / DROP" which stopped all outsiders from accessing the XG's proxy gate, but this cause some other problems minor but very irritating

    so i need to fix the XG rules so that it CANNOT be access from the outside to resolve outside requests...

     

    its as if the XG installed an OPEN proxy ??? why ???

  • 0 in reply to Gavin na

    HI Gavin, 

    As mentioned earlier . If you have a WAN interface you could not use XG as Web Proxy unless its forwarded to any LAN system . In your rule you have allowed all Ports to Communicate with your LAN from WAN zone. We shall advise you to allow necessary ports or block port 3128.

    Could you also take the Tcpdumps and test the connection . e.g. If your interface of WAN is on Port B then 

    console >tcpdump interface PortB 'port 3128 

    Thanks and Regards

    Aditya Patel \ Network and Security Engineer.