A great idea to start a discussion on this, Douglas!  The parts up through and including SMTP look good.

How to prevent web proxy users from accessing web servers in specific IP address ranges?

• Use a DNAT address to send traffic for specific outbound address ranges to a dead-end address. Web filtering does not have its own block/allow list based on IP address.

1. In Transparent mode, you can use the 'Transparent Mode Skiplist' with 'Allow HTTP/S traffic for listed hosts/nets' unchecked.  This allows/requires you to make normal firewall rules.  In Standard Mode, the solution would be different, but I don't understand why it would be advantageous to prevent access to "specific IP ranges" instead of to domains, URLs, etc.

How to prevent web proxy users from access web servers with specific reverse DNS entries?

• Create a regular expression and add it to the list to blocked site list within each profile. If the list is long and the number of profiles is large, this may get tedious.

2. I don't understand how this is different from regular Web Filtering.

What are my options for managing FTP?  (Short answer:   I don’t understand.)

• Dead-end DNAT rules will probably be useful for FTP as well.
• Some web sites will provide web links that redirect the user from http to ftp for file downloads. As far as I understand, UTM must be in transparent mode for these links to work at all.   The user cannot predict when or where this might happen, and has no ability to alter the link used.   Consequently, I have never tested non-transparent mode or “Both” mode.   I would be interested in comments.
• The FTP Advanced tab has a box to specify Allowed Servers. My understanding is that this list only applies when using non-transparent mode, which seems to presume use of an FTP Client application.   There is not an equivalent Blocked Servers list.
• The FTP Advanced tab also has a transparent mode skip list. I wonder whether the transparent proxy functions differently when used anonymously from a web browser or transparently from an FTP client application.
• I have discovered that Google Chrome loses NTLM information when a web session switches from http to ftp, so web links that link to an ftp site will work in IE but fail in Chrome. One possible workaround is to create a Web Filtering exception to bypass authentication for URLs matching ftp://.   Naturally, this approach eliminates the ability to control FTP differently for different users, so it may not be tolerable for some sites.  If that is your situation, then users will have to be use a different browser or use one of the alternate authentication methods.

3. Most of this has to do with how the FTP Proxy functions and how to configure it based on choices in Web Filtering and the use of an FTP client instead of discussing how to prevent access based on IP address.  I'm also confused here why we would need to use DNAT to block outbound requests.

Cheers - Bob

Right now, my UTM is behind another firewall.   I had hoped it could become my only firewall, but when I started learning about some of these situations where firewall rules were not enforced, I started to panic that this was never viable.   You assured me that there were workarounds to all of the concerns, so read up on some of your references and then tried to begin a cookbook for all of the likely scenarios where firewall-like functions might be needed even though Firewall Rules were going to be bypassed.  I tried to apply dead-end DNAT rules everywhere that I thought firewall block rules might be desired, but I may have had some overkill.

My firewall, the one in front of UTM, blocks a lot of things based on IP range, largely as a form of country blocking.  UTM's Country Blocking has never appealed to me because it seems impossible to define whether any specific IP address will be allowed or blocked, and once blocked there seemed to be no exception mechanism.   Then this issue with firewall rules added another complication.   If it is part of the firewall, then maybe country blocking will block too little rather than too much.  So I could benefit from clarification here.

I really crave a packet simulation tool -- If a packet arrives at this interface with a specific source and destination address-protocol-port pair, how will it flow through the device?   Where will it get stopped?  Will the reply packet be accepted or rejected?

I am not sure what I was thinking with reverse DNS and Web Filtering, apparently not very clearly.   I do wish UTM had reverse DNS filtering for EMail filteing, and it may be desirable for some blocks on Webserver Protection.  I have to agree that web filtering already has plenty of options for control based on URL, uisng simpler methods than my first post described.

Doug

Packets are filtered

1/. by proxy if enabled

2/. by internal rules (created when using dnat/snat functions

3/. by firewall rules in order down the page.

4/. country blocking does work, but because not all websites are based in their country they will be allowed to pass eg, some .RU sites are based in the US and will therefore have a US IP address.

5/. packets will be accepted, dropped or rejected by your filter configuration.

"some overkill" - Hey, Douglas, just because we're paranoid doesn't mean they aren't out to get us! [;)]

The benefit of Country Blocking is that someone maintains the database of which IPs are in which countries.  I normally only block accesses "From" instead of "All."  There have been issues with Country Blocking Exceptions, so I allow all outbound - perhaps the Exceptions work reliably now but I don't know.  As you noted, blackhole DNATs take care of bad guys in the countries clients do business with.

"I really crave a packet simulation tool" - great idea!  If there's a similar one at Ideas, comment and vote on it and post a link back here.

"I do wish UTM had reverse DNS filtering for EMail filtering" - it does. "... and it may be desirable for some blocks on Webserver Protection" - I don't understand what mechanism might provide this or the potential benefit.

Cheers - Bob

On Reverse DNS for Email:  

I just checked to see if the product had new features which I had missed, and I don't see what I was seeking.  

I posted the request "Block SPAM based on reverse DNS of server" in September 2015.  Here is the link: ideas.sophos.com/.../9689562-block-spam-based-on-reverse-dns-of-server

Sadly it only received 4 votes so far.

On packet simulator:  It has also been requested under these title: "Firewall Rules Packet Simulator" (July 2016, 8 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/15081861-firewall-rules-packet-simulator

and "Packet Filter "Test Rule" Button" (from 2009, 18 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/359986-packet-filter-test-rule-button

(this entry had a reply with a link to a similar proposal that was probably more detailed, but the link is now broken.)

and "Packet Filtering: Rule-Match Tester" (from 2010, 13 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/518757-packet-filtering-rule-match-tester

None of these have any comments from Sophos/Astaro product management.   If the site is actually moderated, I would expect them to post a note indicating that they have identified which requests are similar and direct new votes to whichever entry they consider preferred for vote accumulation.   I did have a Sophos staffer tell me that "features.astaro.com" had been out of use for a long time.    When you encouraged me to post in ideas.sophos.com, I thought that I must have been posting to the wrong site.   But no, it was a different name for the same data, and the old name does appear to have been removed from DNS recently.

So here is the state of the site:  Few ideas have any Sophos comment at all.  Completed topics are not marked as complete so that votes can be returned to the votes.  Votes with high counts are neither formally declined nor implemented.   If Sophos really uses the Ideas site, they don't put much effort into giving evidence of it.  Given the difficulty that I have experienced identifying all good ideas and consolidating similar ones, I would think that they would enhance the site indexing mechanisms simply to make their life easier.  If they really don't pay attention to the Ideas site, then Sophos Support really is sending us into a black hole when they ask us to document an idea.

I actually thought YOU were Sophos staff, Bob.  But I finally paid attention to your signature block and see that you are not Sophos either.   I like the product, but when Sophos support says "this is not a bug, its a feature, so you have to open a feature request", I take that as equivalent to "Just go away, because issue is dead."   If you have any influence on them, ask them to show themselves on the Ideas site.

On packet simulator:  It has also been requested under these title: "Firewall Rules Packet Simulator" (July 2016, 8 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/15081861-firewall-rules-packet-simulator

and "Packet Filter "Test Rule" Button" (from 2009, 18 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/359986-packet-filter-test-rule-button

(this entry had a reply with a link to a similar proposal that was probably more detailed, but the link is now broken.)

and "Packet Filtering: Rule-Match Tester" (from 2010, 13 votes)

http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/518757-packet-filtering-rule-match-tester

None of these have any comments from Sophos/Astaro product management.   If the site is actually moderated, I would expect them to post a note indicating that they have identified which requests are similar and direct new votes to whichever entry they consider preferred for vote accumulation.   I did have a Sophos staffer tell me that "features.astaro.com" had been out of use for a long time.    When you encouraged me to post in ideas.sophos.com, I thought that I must have been posting to the wrong site.   But no, it was a different name for the same data, and the old name does appear to have been removed from DNS recently.

So here is the state of the site:  Few ideas have any Sophos comment at all.  Completed topics are not marked as complete so that votes can be returned to the votes.  Votes with high counts are neither formally declined nor implemented.   If Sophos really uses the Ideas site, they don't put much effort into giving evidence of it.  Given the difficulty that I have experienced identifying all good ideas and consolidating similar ones, I would think that they would enhance the site indexing mechanisms simply to make their life easier.  If they really don't pay attention to the Ideas site, then Sophos Support really is sending us into a black hole when they ask us to document an idea.

I actually thought YOU were Sophos staff, Bob.  But I finally paid attention to your signature block and see that you are not Sophos either.   I like the product, but when Sophos support says "this is not a bug, its a feature, so you have to open a feature request", I take that as equivalent to "Just go away, because issue is dead."   If you have any influence on them, ask them to show themselves on the Ideas site.

I responded on your rDNS suggestion, Doug, and noted on one of the three in your last post that the three should be merged.

Cheers - Bob