Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 6292 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 Blocks incomming traffic

Mario Fascetti

Hi - I have a easy setup for my 'home' network. Simple Masquerading for outbound traffic from clients, and a ANY ANY ANY Firewall rule. Then a few inbound NAT rules which are to allow DNAT of incoming 443 SSL p.a. to redirected to my Windows Server 2013 running Exchange 2003 for pda syncing etc. 

But the Firewall blocks all my incomming traffic even I set all NAT incl. "Automatic Firewall rule" set. Here more details about my settings and the problem, I hope someone can see what I made wrong, or I forgot:

And here the Error Msg I got from the Firewall:

2016:12:18-09:28:23 bessophos01 ulogd[4666]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="213.180.XXX.XXX" dstip="80.254.XXX.XXX" proto="6" length="52" tos="0x02" prec="0x00" ttl="120" srcport="61061" dstport="443" tcpflags="SYN"

(The IP 213.180.XXX.XXX is the same you can see in the NAT rule).

Thanks for your help

Mario



This thread was automatically locked due to age.
  • 0

    I believe your problem is trying to use 443 because that is used by some defaults on the UTM.

    I would change your any any any rule to be internal -> any -> any -> allow otherwise you are allowing your utm to be an open relay.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank you for your Feedback. It was a typo, sure I set internal - any  - any ;)

     

    But concerning the blocked traffic, this must be something else. Not only the 443 traffic get blocked. All incomming traffic from outside got blocked! Here an other example with Post 8080:

    Firewall log:

    2016:12:18-09:27:29 bessophos01 ulogd[4666]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="31.10.157.250" dstip="80.254.XXX.XXX" proto="6" length="60" tos="0x00" prec="0x00" ttl="56" srcport="41008" dstport="8080" tcpflags="SYN"

     

    And here my NAT Setting:

    Any other ideas?

  • 0 in reply to Mario Fascetti

    Mario, that last DNAT looks like it might make you an open web proxy.  I'm not sure what you're trying to accomplish, but you may not want to do that.

    Was the packet logged when it arrived?  For both of the packets blocked in your posts above, it would be interesting to have initial packets logged.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, no, I know 8080 is often used for Web Proxys but here it's not the case. I have just a few ports which should be open from outside, 443 and 8080 are just two example, there are others ports I forwarded to specific servers but all of them got blocked from UTM 9. I'm new configuring UTM 9 Firewalls - I know Cisco very well, so it can easy be, that I forgot to set a necessary click anywhere in the configuration.

    I don't really understand what you mean? The log I posted I found under "Logging & Reporting" / "View Log Files" then View of Firewall. Where I can find the log you request (the initial packets)?

  • 0 in reply to Mario Fascetti

    Look under 'Advanced' in your NAT rule, Mario, and then test.  That way we will see whether the rule is capturing the packets.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML