Thread Info
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 25395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 ASG Software 9.313-3 blocking allowed traffic

mckarto

We have about 90 servers behind the affected UTM9, all have an external interface and a dedicated dnat and snat entry to their internal IP. Actually everything is fine, a HA slave is attached. 

But sometimes traffic gets dropped even though it's allowed.

Like some weeks ago I opened traffic for two external networks to an internal host with a paket filter rule, this worked fine. Today I added a new host IP to the allowed group, but traffic from this IP is dropped see below (IP/MAC addresses changed), traffic from over IPs in that group go through-

16:48:53 Default DROP TCP  
111.222.111.222 : 56449
192.168.4.150 : 80
 
[SYN] len=60 ttl=54 tos=0x00 srcmac=00:00:00:00:00:01 dstmac=00:00:00:00:00:02

We had this issue before especially with incoming traffic from hosts that also are natted and reading BALfsons rules (don't find them anymore in the old forum) to not attach the internal IP to the internal Network but to any. This trick helped once, but not this time.

DNAT and SNAT is any to/from internal host_IP-
Intrusion Prevention is enabled (drop silently)

Any hints?



This thread was automatically locked due to age.
  • Hi, IKGAdmin, and welcome to the UTM Community!

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post one line corresponding to the one above.

    Cheers - Bob
    PS Links to the Rulz should still work: www.astaro.org/.../49065-rulz.html
  • in reply to BAlfson
    Thanks for the rulz! So this line? I now opened the Port 80 for all IPV4 addresses to let them in and hope to be able to close it down to only the wanted IPs soon.
    Here's the line, that's what you thought of?
    2015:11:25-13:12:21 firewallname-1 ulogd[6018]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="lag0" outitf="eth0" srcmac="00:00:00:00:00:01" dstmac="00:00:00:00:00:00" srcip="111.222.111.222" dstip="192.168.4.150" proto="6" length="60" tos="0x00" prec="0x00" ttl="54" srcport="56289" dstport="80" tcpflags="SYN"

    thanks a lot for having a look,
    ikgadmin
  • in reply to mckarto
    Can you show the firewall rule details?
  • in reply to InformaticaOostkamp
    Hi, Sources are two groups, Services http, https, ssh and Destitionation the internalserverhostaddress, Action allow, timeperiod always, source MAC addresses none (all defaults). Also the connection from other hosts out of the two groups can access. It's really just one who get's blocked (many eyes checked the IP). thanks&cheers

  • I'm a little confused that you have a lag for your WAN interface - why is that?

    Agreed with InformaticaOostkamp - please click on 'Use rich formatting' and show us a picture of the Edit of your Firewall rule with the Host definition for 192.168.4.150 also open in Edit mode with 'Advanced' also open.

    Cheers - Bob

  • in reply to BAlfson

    I wanted to have more throughput and so added two hardwarenics of the firewall to a lag0 and get 2GBit/s instead of just 1GBit/s with so many machines behind it.

    Here are the screenshots. With the rule, most IPs from the two groups just go through as expected. Just one doesn't.

    cheers and thanks

  • in reply to mckarto
    All I can tell you is that the packet didn't qualify for your firewall rule. There's so much obfuscated here that I really can't put the puzzle together.

    Cheers - Bob