Here's something worrying. We created (*see below - actually this was restored from a config file) a static NAT rule for a host we'll refer to as xlx01, for http. The rule did NOT have the automatic firewall rule option turned on. Our firewall rulebase has an explicit any-any-drop at the bottom (logged), and various more specific drops above that (also logged). We created a rule above the relevant drop rule that allowed inbound traffic from the internet to xlx01 on http, but it only allowed traffic from two IPs. At this point that rule was NOT activated. We attempted traffic from the raw internet (not from one of those IPs) and the traffic was ALLOWED. We could see the NAT rule being hit in the live firewall log but no other log entries for this traffic (no red, no green). We turned on logging for every firewall rule as a test. Still no log entries, and still traffic was being forwarded (bad).
We then took a look at iptables -L and we see this:
Chain AUTO_FORWARD (1 references)
target prot opt source destination
CONFIRMED tcp -- anywhere anywhere match-set 7izrFOnq1CE8bQx1g/4Cow src tcp spts:tcpmux:65535 multiport dports http,https
CONFIRMED tcp -- anywhere xlx01 tcp spts:tcpmux:65535 multiport dports http,https
That was worrying because we never asked for that, and we had never referred to https (only http). So where did that rule come from? We deleted both of those lines and deleted the (deactivated) rule in Sophos firewall UI. We then recreated the firewall rule and activated it, and now we see exactly what we would expect in iptables, and the traffic is being correctly dropping from any source apart from the two we explicitly allowed.
The only way that I can see this happening is as follows. This is a fresh-build of Sophos UTM from an ISO. After it was built, with a very vanilla basic config, and upgraded to latest Up2Date, we restored a previous config onto it (in order to avoid having to recreate all that config from scratch). That previous config came from a UTM that was a bit in development, and it did have a rule referring to http and https from "the whole internet" to xlx01. That must be where this iptables entry came from. However that rule was not present in the firewall UI at the time the config backup was taken, and not visible in the UI after the config was restored onto the fresh build. Ie there must be a problem somewhere between the deletion of a rule in the old UTM's config and the restoration of the config onto a fresh UTM. It shouldn't have been on the old UTM any longer and it sure shouldn't have come across to the new UTM. And regardless of that it wasn't visible in the firewall UI AFTER the restore.
And regardless of anything else, having an ACCEPT rule in iptables that is not visible in the UTM firewall UI, and which isn't logged, is about as dangerous as it gets with a firewall. Yet none of this appears as a known issue for the UTM as far as we can see.
Sure would love to hear from Sophos on this. Worrying.[:O]
This thread was automatically locked due to age.
