Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 10317 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic rules order

lad33
Hi,

I think I'm missing something obvious here, but cannot fathom it.

How can I re-order the automatic rules so I can apply filtering from top down?

It seems that no matter what order I change my NAT/DNAT rules to, when I look under Network Protection>Firewall and then select 'Automatic Firewall Rules' the last DNAT rule created goes to the bottom of the automatic firewall rules list.

If I then change the DNAT rule order, it does not seem to affect the automatic rule order.

Whatever DNAT rule I created last, places the automatic firewall rule at the bottom of the list.

I understand that the firewall rules run from top to bottom and that automatic rules take precedence over manually/user created firewall rules.

I also note that user created firewall rules can be edited to changed their position BUT I cannot do that with automatic rules.

So, what am I missing.  I'd have thought that changing the order of my DNAT rules would change their corresponding automatic firewall rules in the list.

Anybody able to shed light on what I'm clearly missing?

Do I have to systematically disable all DNAT rules bringing them back up in the order?

Should I just remove the automatic rule from the DNAT and simply add them manually as user created rules to which I can control the order?

I'm using Sophos Home release 9.309-3 btw.

Many thanks.


This thread was automatically locked due to age.
  • 0
    Hi, lad33, and welcome to the User BB!

    I'd have thought that changing the order of my DNAT rules would change their corresponding automatic firewall rules in the list.

    I can't think how changing the order of automatic firewall rules for NAT rules would have any effect on functionality or results.  What have you seen that made you concerned?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob,

    Thanks for the intro and reaching out.

    Like I say, I may be clutching at the wrong straw here, but from what I've noted, the guides state that firewall rules run from the top down.

    So, scenario, I wanted to create a rule that stops IPsec traffic reaching my VPN server (situated behind the UTM) from a specific IP.

    I've scanned the forum and spotted the post mentioned about creating a black hole within DNAT to send the traffic to a duff IP.

    That's great, but when I create that DNAT is sticks the automatic firewall rule at the bottom of the automatic firewall rules list.

    So my existing DNAT rule that sends traffic to my VPN server (which appears higher in the list) forwards all traffic to the server.

    The only way I can think of to stop that from happening is to disable the DNAT rules and the re-apply in the order that makes sure the automatic firewall rules apply in order.

    Does that make sense, am I explaining the issue correctly?

    Thanks.
  • 0
    The answer is to put the blackhole DNAT above the DNAT to your server - NAT rules also are processed in order.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    That's my problem. If I put my new DNAT rule higher, the automatic firewall rule remains at the bottom of the list.

    And it appears that the rules work in the order listed in the firewall rules list - automatic rules first then manual/user rules after.

    Can I just double double check, are you saying that DNAT rules should run in order, then automatic rules, then manual?

    Thanks.
  • 0 in reply to lad33

    Hi,

    I found a way to change the order of automatic rules from NAT definitions. If you disable and reenable the NAT rule, the automatic firewall rule moves to the bottom of the list. Not the best ideal way, but manageable to a degree.

    Regards

    Damien

  • 0 in reply to DamoL

    Good trick, Damien, and welcome to the UTM Community!

    I think the difference is only cosmetic though. Automatic rules are not processed in sequence.

    The traffic is captured by the selector in the first DNAT, and the relevant firewall rule is applied immediately.  In the past, the automatic rules weren't even visible because of this.  They are now so that the admin can make a "log" selection on a rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?