Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 8818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow all except

VasileiosGiannakopoulos

Hello,

I would like to setup my firewall in the UTM9 to allow all traffic from/to a specific machine (lets call it server1), except specific ports, which should NAT to server2.

Is that possible?

Thanks!



This thread was automatically locked due to age.
  • 0
    I'm sorry, but it's not clear what you're asking. In general, you can block specific traffic first and then allow all other traffic. In NAT rules you can make a NoNAT rule for traffic you don't want to NAT to your server and then follow with another NAT rule forwarding Any to the server.

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi Rob,
    I apologize, let me make it clear. I have two servers. One is a Web Server (let's call it server1) and the other one runs multiple services on random and dynamic ports (lets call it server2). I want to allow all traffic from Any to Server2, except ports 80 and 443 which should be forwarded to server1. Does this makes sense?
  • 0 in reply to VasileiosGiannakopoulos
    In that case, make two NAT rules, in order: (1) 'DNAT : Internet -> {HTTP&HTTPS} -> External (Address) : to {server1}' and (2) 'DNAT : Internet -> Any -> External (Address) : to {server2}'.

    Like all ordered lists in WebAdmin, once traffic qualifies for a rule, no further rules are considered. Two additional observations...

    If traffic comes in on ports 1:65535->5000:5010, the responses will be 5000:5010->1:65535 - that is, the responses will be on random ports. Because the UTM is a "stateful" firewall with a connection tracker, the only traffic needing to be allowed is the inbound traffic, 1:65535->5000:5010.

    If you have a Web Server Security subscription, you can create one Real Server and one each of an HTTP Virtual Server and an HTTPS Virtual Server. Activate these with your DNATs still in place and add a rule above both of them 'NoNAT : Internet -> {HTTP&HTTPS} -> External (Address)'. To test your Web Server Security setup, enable the NoNAT rule. When you're happy with your configuration, leave the NoNAT rule enabled and disable/delete the DNAT for {HTTP&HTTPS}.

    Cheers - Bob