Hello there, I have all incoming traffic from http,https,dns and imap services redirectioned via NAT to our linux server. We have country block truned on for almost every country, but using country block exceptions for these services. If i open up the firewall log we get this: 16:50:33 NAT rule #3 TCP 69.191.211.202 : 35046 → 62.48.251.26 : 80 [SYN] len=60 ttl=54 tos=0x00 srcmac=40:00:00:00:00:02 dstmac=00:1a:8c:4b:28:e9 16:50:33 Country blocked TCP 69.191.211.202 : 35046 → 192.168.1.97 : 80 [SYN] len=60 ttl=53 tos=0x00 srcmac=40:00:00:00:00:02 dstmac=00:1a:8c:4b:28:e9 Why does the firewall blocks the package from source to the linux server? source=69.191.211.202 UTM9=62.48.251.26 linux=192.168.1.97 Thanks

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When using NAT to redirection services, country blocking blocks traffic going to the final destination, even if exceptions are turned on for all countries

PedroFreitas - Inovafil Fiação S.A. over 9 years ago

Hello there,

I have all incoming traffic from http,https,dns and imap services redirectioned via NAT to our linux server.

We have country block truned on for almost every country, but using country block exceptions for these services.

If i open up the firewall log we get this:

16:50:33

NAT rule #3

TCP

69.191.211.202

35046

→

62.48.251.26

[SYN]

len=60

ttl=54

tos=0x00

srcmac=40:00:00:00:00:02

dstmac=00:1a:8c:4b:28:e9

16:50:33

Country blocked

TCP

69.191.211.202

35046

→

192.168.1.97

[SYN]

len=60

ttl=53

tos=0x00

srcmac=40:00:00:00:00:02

dstmac=00:1a:8c:4b:28:e9

Why does the firewall blocks the package from source to the linux server?

source=69.191.211.202

UTM9=62.48.251.26

linux=192.168.1.97

Thanks

This thread was automatically locked due to age.

0 BAlfson over 9 years ago

Hi, Pedro, and welcome to the UTM Community!

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post the lines corresponding to those above.

Also, click on 'Use rich formatting' and insert a picture of your Exception that should have applied here.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 9 years ago

What version of UTM are you running? Is it the latest (9.353)? There have been several versions where County Blocking exceptions have been non-functional due to a bug.
Cancel
Vote Up 0 Vote Down

Cancel
0 PedroFreitas - Inovafil Fiação S.A. over 9 years ago in reply to BAlfson

Note that i cut the image, so not all countries are displayed. But i garantee all of them are select except portugal.

Example of firewall log for problem:

2016:02:10-00:00:14 utmmundi ulogd[1278]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="eth1.20" srcmac="40:00:00:00:00:02" dstmac="00:1a:8c:4b:28:e9" srcip="66.249.64.186" dstip="62.48.251.26" proto="6" length="60" tos="0x00" prec="0x00" ttl="46" srcport="40612" dstport="80" tcpflags="SYN"
2016:02:10-00:00:14 utmmundi ulogd[1278]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth1.20" outitf="eth0" srcmac="40:00:00:00:00:02" dstmac="00:1a:8c:4b:28:e9" srcip="66.249.64.186" dstip="192.168.1.97" proto="6" length="60" tos="0x00" prec="0x00" ttl="45" srcport="40612" dstport="80" tcpflags="SYN"

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 PedroFreitas - Inovafil Fiação S.A. over 9 years ago in reply to Scott_Klassen

Hi there,

Firmware version: 9.353-4
Pattern version: 95489
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to PedroFreitas - Inovafil Fiação S.A.

Please let us know what Sophos Support has to say about this, Pedro.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel