Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 29 subscribers
  • Views 31664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

firewall block port 80 but http allowed, only one rule

MattBowles

Have one firewall rule enabled. Block all outbound but what is needed, DNS, NTP, HTTP, HTTPS, ETC.

Getting blocking trying to update but failing. Firewall reports Invalid traffic from internal ip (random port) to external port 80.

Why is it blocking something going to port 80, is it filtering it because its leaving on a nonstandard port?

 

Is there a better way to allow?



This thread was automatically locked due to age.
  • 0

    maybe you have to look at your zones in your firewall rule, choose lan as source zone, and wan as destination zone and help yourself with the web and application protection to set what you want to block.

  • 0

    MattBowles said:
    Firewall reports Invalid traffic from internal ip (random port) to external port 80 

    I am assuming your http traffic is flowing fine, however you are noticing some dropped port 80 invalid traffic in the logs.

    Most of the time its reset and Fin packets that a stateful firewall sometimes drops. This shouldn't affect your port 80 browsing. You can really look at what exactly the dropped traffic is by following  guide here and follow rule1.

  • 0

    Matt,

    can you share the firewall rules you have created?

    Thanks

  • 0 in reply to lferrara

    I don't know the best way to display my rules I have 2 and one is a blanket everything on every service is allowed out (off by default and one when issues come up)

    The main rule is

    Source Zone = LAN

    Source networks and devices = any

    Destination Zones = WAN

    Destination Networks = Any

    Services = HTTP, HTTPS, ICMP, IMPA,NTP, TCP 2222, POP3, SMTP, SSH, TCP, UDP

  • 0 in reply to MattBowles

    HI MattBowles, 

    Could you take a packet capture on the Console using the command . 

    console > drop 'port 80 

    Could you post the output , you may use a notepad and attach them on this forum.

  • 0

    Hi Matt,

    Check #1 in my troubleshooting guide here. What do you see in the drop captures? Please show me pictures of the firewall rule configurations and the tcpdump captured on the source host and port 80.

    Thanks

  • 0 in reply to sachingurung

    Hahaha, that is what I suggested in my post above[:$]. Glad we agree on somethings[:D]

  • 0 in reply to Aditya Patel

    2017-03-09 08:42:17 0102021 IP 192.168.XX.99.54323 > 216.XX.XXX.XXX.80 : proto TCP: R 1386169708:1386169708(0) checksum : 7208
    0x0000:  4500 0028 0e57 4000 8006 90c4 c0a8 0163  E..(.W@........c
    0x0010:  d83a c16e d433 0050 529f 456c b8b2 12b2  .:.n.3.PR.El....
    0x0020:  5014 0000 1c28 0000 0000 0000 0000       P....(........
    Date=2017-03-09 Time=08:42:17 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=80:c1:6e:XX:XX:XX dest_mac=00:1a:8c:XX:XX:XX l3_protocol=IP source_ip=192.168.XX.99 dest_ip=216.XX.XXX.XXX l4_protocol=TCP source_port=54323 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • 0 in reply to Billybob

    Oopsadaisy! I completely skim read your answer. Happy to see we are walking on the same direction. :)

    Thanks