Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 9520 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall and Amazon Web Services

Ztirf

I have an app on my Mac (Bookends) which maintains a database of book titles.  If I enter a new book's ISBN number, Bookends will query Amazon and return with the book's title, author, publisher, etc. The difficulty is that Amazon Web Services (AWS) will respond with a new source IP so that the Firewall thinks it's a rogue attack and blocks it.  I have created a list of networks (e.g. AWS054-000  54.0.0.0/8 WAN interface) which detail many of AWS servers.  I have over 50 such network definitions so far and am adding more.  Then I have a Network Group defined that pulls this long list of network definitions together so that I can make a Firewall Rule allowing AWS to the single specific LAN computer that uses Bookends.  But in my firewall log I can see that 54.86.89.255, 54.152.225,202, 54.165.14.197 have been blocked.

Given the my definition of AWS054-000 (above), how can these listed IP address be blocked?  My limited cerebral powers seem to be rapidly evaporating.

(1) I just need to know whether anyone has successfully used network definitions with wide CIDR ranges (/16 to /10)?  My CIDR ranges do NOT seem to be working.

(2) I have checked "Log Traffic" on my firewall rule.  How can I find the allowed transactions that are successfully matching my rule?  I don't think there are any.  But I don't understand how to verify my intuitions.



This thread was automatically locked due to age.
  • 0

    "The difficulty is that Amazon Web Services (AWS) will respond with a new source IP so that the Firewall thinks it's a rogue attack and blocks it." - Please show us a sample line from the Firewall log file.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob

  • 0 in reply to BAlfson

    Here's is a portion of a report from a Sawmill syslog analyzer for Sophos UTM firewall logs (sorted in IP address order):

    Source IPs 01/Mar/2016 – 14/Mar/2016, 14 days (entire date range)

    Report is filtered and shows data for Destination IP is 192.168.168.150 [my Mac running Bookends]

    Firewall rules is 60003

    Source port is 443

    Source IP Events Firewall events Hits Page views Bytes Unique source IPs Response time Sessions

    81 54.152.225.202 130 1.2 % 130 0 130 5.08 K 1 00:00:00.000

    82 54.164.40.220 143 1.3 % 143 0 143 5.59 K 1 00:00:00.000

    83 54.165.14.197 104 1.0 % 104 0 104 4.06 K 1 00:00:00.000

    84 54.173.221.102 130 1.2 % 130 0 130 5.08 K 1 00:00:00.000

    85 54.174.1.97 104 1.0 % 104 0 104 4.06 K 1 00:00:00.000

    86 54.174.160.243 156 1.5 % 156 0 156 6.09 K 1 00:00:00.000

    87 54.174.179.70 156 1.5 % 156 0 156 6.09 K 1 00:00:00.000

    88 54.175.147.187 180 1.7 % 180 0 180 7.03 K 1 00:00:00.000

    89 54.175.224.180 14 0.1 % 14 0 14 603 B 1 00:00:00.000

    90 54.192.90.20 144 1.3 % 144 0 144 5.67 K 1 00:00:00.000

    91 54.209.0.118 99 0.9 % 99 0 99 3.87 K 1 00:00:00.000

    92 54.209.199.177 78 0.7 % 78 0 78 3.05 K 1 00:00:00.000

    93 54.209.27.174 112 1.0 % 112 0 112 4.38 K 1 00:00:00.000

    94 54.209.6.51 99 0.9 % 99 0 99 3.87 K 1 00:00:00.000

    95 54.225.159.129 52 0.5 % 52 0 52 2.03 K 1 00:00:00.000

    96 54.225.203.142 13 0.1 % 13 0 13 520 B 1 00:00:00.000

    97 54.230.37.129 13 0.1 % 13 0 13 520 B 1 00:00:00.000

    My network definition AWS054-192 is 54.192.0.0/10 (which I think equates with) 54.128.0.0->54.255.255.255  This is one of a long list of WAN networks I am trying to allow into my LAN, specifically to 192.168.168.150

    But the above partial listing of IP addresses have all been blocked.

    Am I thinking about CIDRs incorrectly???

  • 0 in reply to Ztirf

    54.192.0.0/10 is 54.192.0.0->54.255.255.255

    I don't think you've asked yourself the right question yet and so are not working on the right problem.  We need the information from the Firewall log file.

    Cheers - Bob

  • 0 in reply to BAlfson

    Ok, my mistake; the CIDR should be /9 (not /10).  

    But thank you very much Bob!  You were quite correct in suggesting that I re-think my assumptions.  My AWS firewall rule needs be at the top.  Placing it there makes quite a difference.  I am stunned that what seems so clear to you has bedeviled me for the last 4 weeks. Your perspective was the key to the solution.  Thank you, Bob, for all your efforts on this forum.