Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 4946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rule #3, Binding An Interface To A Host Definition

mecomotic

In the Rulz, rule #3 states the following.

 

Rule #3 

Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface: <<Any>>'.  The only known exception began with V9.4 and the introduction of STAS (Sophos Transparent Authentication Suite).  The Host definition of the AD domain controller must be bound to to the interface for the subnet containing the DC.

 

I'm curious what the reason is. Behind the scenes what does binding a host definition to an interface do, and if it's problematic why is it an option? What problem(s) does it solve/create?

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Yes, a little more clarification is welcome here too.

    I think if you bind a host to an interface you get a little gain of security. So no other device could, by spoofing for example, look like this host on another, maybe untrusted, interface.

    I am not sure if this will help you in kind of routing issues. For example if you had a DNS which is only reachable via specific interface, one would use a multipathing rule. Maybe this should work too?

    Maybe someone has a use case for us.

    Best

    Alex

    -

  • 0 in reply to Alexander Busch

    If you need to reconfigure, such as to fail around a bad NIC, it is much easier if the only bound item is the interface addtess.

    Beyond that, I do not know.

  • 0 in reply to DouglasFoster

    One of the underlying technologies is iptables.  If a Network object is bound to an Interface, NAT and Firewall rules will apply to the INPUT chain - see the images at the bottom of the Rulz post.

    #3 and #4 work together - using the "External (Address)" object as the target of incoming traffic is necessary to have a DNAT rule apply to the INPUT chain.  Could you instead use a separate network definition bound to the External interface?  Yes, but why create confusion by not doing things in the "accepted" fashion?

    Remember that WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  If you were assembling rules at the command line like you might have done in the past with a Cisco router, you could have had reason to bind something to an interface (anti-spoofing), but WebAdmin creates a configuration where that's not necessary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to DouglasFoster

    One of the underlying technologies is iptables.  If a Network object is bound to an Interface, NAT and Firewall rules will apply to the INPUT chain - see the images at the bottom of the Rulz post.

    #3 and #4 work together - using the "External (Address)" object as the target of incoming traffic is necessary to have a DNAT rule apply to the INPUT chain.  Could you instead use a separate network definition bound to the External interface?  Yes, but why create confusion by not doing things in the "accepted" fashion?

    Remember that WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  If you were assembling rules at the command line like you might have done in the past with a Cisco router, you could have had reason to bind something to an interface (anti-spoofing), but WebAdmin creates a configuration where that's not necessary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?