Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 4274 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't seem to block access to internal server (sort of)

bmurphy

It seems a lot of people ask a similar question on this forum, but I can't seem to finds one that's having the same issue I am. I can't seem to block access to my mail server's HTTPS interface. I've tried doing a DNAT to "Nowhere" and a firewall drop rule. With the firewall rule I was able to stop mail flow, but not access to the server's web interface. I've tried simply turning off the explicit allow rule, tried adding an explicit drop above it, even tried a Sources: Any, Services: Any, Destinations: Exchange Server at the top of the rules (this is what blocked mail flow). I've tried adding a DNAT with From (Specific Test IP), Service: Any, Going to: External Interface -- still was able to get to the mail server just fine. 

I'm trying to block a particular host from the mail server because it keeps locking on of our users out. I'm not sure if it's a brute force password guessing or what, but she's locked out again before I can unlock her and hit refresh to check on it in our lock out tool. 

Here's a little about what I have setup and rules I can find applied to the Exchange Server:

There are 3 inbound firewall rules setup to allow access to it: Rules 1 & 2 allow SMTP connections from MS servers to our mail server (they do our spam filtering) and the 3rd rule allows HTTPS access to our mail server. 

I have a DNAT rule setup for when we fail over to our backup internet connection, mail gets pushed to the mail server from MS's servers. There are no DNAT's for the normal connection -- the firewall just passes the IP through to the server.

The Exchange server is in the Intrusion Prevention -> Performance Tuning section listed as a web server, but I wouldn't think that would automatically allow it (and I did try to remove it and see what happened -- nothing). 

I have setup an exception in our web filter to make sure our internet sites aren't blocked by URL or Content Filtered (which would include our email server) -- but I would really hope the web filter rules wouldn't be applied to a connection from outside our Local Networks range. 

We're running Sophos SG430 UTM firmware 9.402-7

Any help would be greatly appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    OK, I did find a DNAT rule that works to block the bad IP. In my case I had to setup the destination of the DNAT as the Exchange server not the External address because we actually do allow access to its IP through the firewall. But my question is still why didn't a "drop" firewall rule work? I'm not really seeing a higher priority service/rule that should be allowing the web traffic. 

Reply
  • 0

    OK, I did find a DNAT rule that works to block the bad IP. In my case I had to setup the destination of the DNAT as the Exchange server not the External address because we actually do allow access to its IP through the firewall. But my question is still why didn't a "drop" firewall rule work? I'm not really seeing a higher priority service/rule that should be allowing the web traffic. 

Children
  • 0 in reply to bmurphy

    Hi, and welcome to the UTM Community!

    It sounds like you've solved your immediate problem, but you will want to insert pictures instead of descriptions when seeking help with issues in the future.

    To understand better why the solution you found was the only one, see #2 in Rulz.

    Cheers - Bob