Today i had another great task:
- We are using the Web Filtering and FTP Proxy.
- The Proxy Traffic is being processed after NAT but before Firewall Rules.
- That means firewall rules which are set to deny traffic between networks known to UTM (published over static routes or interface networks) will not match and internal clients which are in the allowed network list for Web Filtering will be able to reach this networks when using the allowed ports by default behaviour.
My first solution was to create an DNAT Rule which routes each traffic to the affected networks into a blackhole ... fine so far but what to do with networks which are needed to be accessed from other clients? -> No solution
My second attempt was to do URL Filtering based on all the IP Networks which are known to the UTM. Additional i included all internal dns domains which are resolved over DNS Request Routing by my internal DNS Server.
Well the Problem for Web Filtering Proxy is solved.
Open tasks:
- The FTP Proxy is still an security hole when it forwards to known networks which should be not reachable by proxy clients.
- The Solution with the URL Filtering is not smooth at all.
- I would like to have the option to set an packetfilter rule which denys the traffic from proxy services to certain networks because i want to use the proxy only for Internet destinations.
- The rule should be placed before the automatic rules for proxys but which source object is the right one for proxy traffic.
- I think it must done over cli ... not the biggest problem but how to get the rule persistent in case of reboot?
Thanks for any hints and meanings.
Markus
This thread was automatically locked due to age.
