Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 10318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic rules order

lad33
Hi,

I think I'm missing something obvious here, but cannot fathom it.

How can I re-order the automatic rules so I can apply filtering from top down?

It seems that no matter what order I change my NAT/DNAT rules to, when I look under Network Protection>Firewall and then select 'Automatic Firewall Rules' the last DNAT rule created goes to the bottom of the automatic firewall rules list.

If I then change the DNAT rule order, it does not seem to affect the automatic rule order.

Whatever DNAT rule I created last, places the automatic firewall rule at the bottom of the list.

I understand that the firewall rules run from top to bottom and that automatic rules take precedence over manually/user created firewall rules.

I also note that user created firewall rules can be edited to changed their position BUT I cannot do that with automatic rules.

So, what am I missing.  I'd have thought that changing the order of my DNAT rules would change their corresponding automatic firewall rules in the list.

Anybody able to shed light on what I'm clearly missing?

Do I have to systematically disable all DNAT rules bringing them back up in the order?

Should I just remove the automatic rule from the DNAT and simply add them manually as user created rules to which I can control the order?

I'm using Sophos Home release 9.309-3 btw.

Many thanks.


This thread was automatically locked due to age.
Parents
  • 0
    The answer is to put the blackhole DNAT above the DNAT to your server - NAT rules also are processed in order.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    That's my problem. If I put my new DNAT rule higher, the automatic firewall rule remains at the bottom of the list.

    And it appears that the rules work in the order listed in the firewall rules list - automatic rules first then manual/user rules after.

    Can I just double double check, are you saying that DNAT rules should run in order, then automatic rules, then manual?

    Thanks.
  • 0 in reply to lad33

    Hi,

    I found a way to change the order of automatic rules from NAT definitions. If you disable and reenable the NAT rule, the automatic firewall rule moves to the bottom of the list. Not the best ideal way, but manageable to a degree.

    Regards

    Damien

  • 0 in reply to DamoL

    Good trick, Damien, and welcome to the UTM Community!

    I think the difference is only cosmetic though. Automatic rules are not processed in sequence.

    The traffic is captured by the selector in the first DNAT, and the relevant firewall rule is applied immediately.  In the past, the automatic rules weren't even visible because of this.  They are now so that the admin can make a "log" selection on a rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to DamoL

    Good trick, Damien, and welcome to the UTM Community!

    I think the difference is only cosmetic though. Automatic rules are not processed in sequence.

    The traffic is captured by the selector in the first DNAT, and the relevant firewall rule is applied immediately.  In the past, the automatic rules weren't even visible because of this.  They are now so that the admin can make a "log" selection on a rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?