ich habe eine ein öffentliches IP-Netz /28. Daraus hat im Moment ein Linux-Server eine öffentliche IP-Adresse. Dieser Server ist momentan direkt am Router angeschlossen und hat dadurch keinen Schutz durch die UTM/Sophos. Dieses Webserver möchte ich jetzt gern durch die Sicherheit der UTM schützen und ich dachte dies geht durch ARP-Proxy oder irre mich da? Leider habe ich keine Ahnung, wie man diese auf der UTM einrichtet.
Hallo und danke für deine Antwort. Kann ich auch nur bestimmt IP-Adressen durch Proxy-ARP hinter der Firewall schützen? Also ich möchte, dass der Verkehr für bestimmte öffentliche IP-Adressen durch die Firewall der UTM muss. So das ich Server mit öffentlicher IP durch die UTM schützen kann.
(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])
Hallo Mathias,
Yes, as mod said, that can be done, but the "cleaner" way to get what you want is to have your ISP route your /28 subnet to the IP on your External interface. Then, WebAdmin does the routing and you need only make a firewall rule to allow the traffic you want to accept.
If you have a subscription that includes Webserver Protection, you will want to put the public IP on the External interface and use private IPs in your DMZ. That will give you maximum protection. Start by putting the public IP on External, the private IP on the server and making a NAT rule like:
DNAT : Internet -> HTTP -> External [Server] (Address) : to Server
To determine how you want to configure the Firewall Profile, first make a Virtual Server with an Additional Address on your Internal interface. Change internal DNS to resolve the FQDN you want to reach to this new address. Now you can test what settings you can use. Once you have the Firewall Profile configured as you want it, change the 'Interface' selection to "External [Server] Address" and disable the DNAT.
MfG - Bob (Bitte auf Deutsch weiterhin.)
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Hi and thanks for your answer . Unfortunately I can not use WAF because operate on the Web many people websites with SSL . I would then always the WAF adapt if customers change their certificate . Can I do that with the ARP proxy as on another website described use ? Which IP gets the internal interface in the DMZ ?
Are you hosting sites for other organizations on these servers? If so, then, yes, they would need to supply you with their certificates. The protection offered by WAF would be a value-add, so your customers would expect to pay for that service.
Bitte auf Deutsch weiterhin.
MfG - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Yes , only some customers do not want that and do not understand it . Would now like to conclude the issue WAF and try the other way . Unfortunately, there is no documentation to Sophos , so I thought that someone can help me here .
