Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 51045 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall port not allowed

vasileiosg

 Hello,

 

I have a strange issue because i don't understand it really.

 

On the UTM i have created  VLAN based interfaces. I have a server in VLAN 100 and a load balancer on VLAN 200. I want the server to be able to contact the load balancer. When i create a firewall rule saying from: server using service HTTP to load balancer action allow, it doesn't work. When i say server using service HTTP to interface VLAN 200 action allow, it does work.

 

Any idea why?

 

Thanks!



This thread was automatically locked due to age.
  • 0

    Hello vasileiosg,

    maybe a screenshot of the corresponding firewall rules may help to analyze the problem.

    Good luck!

    CS

  • 0 in reply to CS

    this is how it works now:

    this is how i want it to work:

  • 0

    What does "it doesn't work" mean?  Do you get any hints from doing #1 in Rulz?  If the server should hit the Load Balancer, why not put another one on the VLAN 100 Interface?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi,

     

    it doesn't work means that the traffic is being blocked. As to why not any other device on the same VLAN that's simple. This server is configured with a very special software (hand made) that provides a very limited interface to the load balancer through an API for a specific number of people to be allowed to enable/disable services on the load balancer.

     

    In regards to Rulz:

    Always check the logs!  = checked, it says that traffic is blocked unless i configure it on the other way.

    Intrusion Prevention = not enabled anywhere, same with the other tabs.

    Advanced Threat Protection= not in use

  • 0 in reply to vasileiosg

    Show a block line from the Firewall log file.  Obfuscate the IPs like 172.2x.y.17 and 80.x.y.91 so that we can understand what we're looking at.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi!

     

    not sure how this could help, but sure. 


    15:23:16 Default DROP TCP
    171.aa.bb.77 : 22821

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:16 Default DROP TCP
    171.aa.bb.77 : 22822

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:17 Default DROP TCP
    171.aa.bb.77 : 22834

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22821

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22822

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22834

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx

     

    My rule is:

     

    For traffic from: {list of specific IP addresses}

    Using port: 8080

    Going to: {public ip address}

    Change destination to: {internal ip address}

     

    when i change for traffic from to any then it works.

     

    I tested it in my house using my utm home and there it works fine. I don't get it why it doesn't work here.

     
  • 0 in reply to vasileiosg

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one log file line corresponding to those above.

    Cheers - Bob

  • 0 in reply to BAlfson

    I apologize.

     

    Does this makes more sense then? I hope it is what you are looking for.

     

    11:46:18 Default DROP TCP  
    171.33.134.xx : 24677
    64.38.239.xxx : 80
    		 
    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
  • 0 in reply to vasileiosg

    That's a line from the Firewall Live Log.  We need the additional information in the corresponding line from the Firewall log in 'Logging & Reporting >> View Log Files'.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

     

    This is the best view i can get for you for the specific request. Is this ok? I got it by exporting the log file as thourgh the browser is impossible due to the length of the file (200mb)

    2017:05:02-11:46:18 vpn-1 ulogd[6497]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="74:8e:f8:fa:xx:xx" dstmac="00:1a:8c:f0:xx:xx" srcip="171.33.134.xx" dstip="64.38.239.xx" proto="6" length="52" tos="0x00" prec="0x40" ttl="118" srcport="24677" dstport="80" tcpflags="SYN"