Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 51049 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall port not allowed

vasileiosg

 Hello,

 

I have a strange issue because i don't understand it really.

 

On the UTM i have created  VLAN based interfaces. I have a server in VLAN 100 and a load balancer on VLAN 200. I want the server to be able to contact the load balancer. When i create a firewall rule saying from: server using service HTTP to load balancer action allow, it doesn't work. When i say server using service HTTP to interface VLAN 200 action allow, it does work.

 

Any idea why?

 

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    What does "it doesn't work" mean?  Do you get any hints from doing #1 in Rulz?  If the server should hit the Load Balancer, why not put another one on the VLAN 100 Interface?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi,

     

    it doesn't work means that the traffic is being blocked. As to why not any other device on the same VLAN that's simple. This server is configured with a very special software (hand made) that provides a very limited interface to the load balancer through an API for a specific number of people to be allowed to enable/disable services on the load balancer.

     

    In regards to Rulz:

    Always check the logs!  = checked, it says that traffic is blocked unless i configure it on the other way.

    Intrusion Prevention = not enabled anywhere, same with the other tabs.

    Advanced Threat Protection= not in use

  • 0 in reply to vasileiosg

    Show a block line from the Firewall log file.  Obfuscate the IPs like 172.2x.y.17 and 80.x.y.91 so that we can understand what we're looking at.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi!

     

    not sure how this could help, but sure. 


    15:23:16 Default DROP TCP
    171.aa.bb.77 : 22821

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:16 Default DROP TCP
    171.aa.bb.77 : 22822

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:17 Default DROP TCP
    171.aa.bb.77 : 22834

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22821

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22822

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
    15:23:20 Default DROP TCP
    171.aa.bb.77 : 22834

    64.aa.bb.144 : 8080

    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx

     

    My rule is:

     

    For traffic from: {list of specific IP addresses}

    Using port: 8080

    Going to: {public ip address}

    Change destination to: {internal ip address}

     

    when i change for traffic from to any then it works.

     

    I tested it in my house using my utm home and there it works fine. I don't get it why it doesn't work here.

     
  • 0 in reply to vasileiosg

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one log file line corresponding to those above.

    Cheers - Bob

  • 0 in reply to BAlfson

    I apologize.

     

    Does this makes more sense then? I hope it is what you are looking for.

     

    11:46:18 Default DROP TCP  
    171.33.134.xx : 24677
    64.38.239.xxx : 80
    		 
    [SYN] len=52 ttl=118 tos=0x00 srcmac=74:8e:f8:fa:97:xx dstmac=00:1a:8c:f0:79:xx
Reply Children
  • 0 in reply to vasileiosg

    That's a line from the Firewall Live Log.  We need the additional information in the corresponding line from the Firewall log in 'Logging & Reporting >> View Log Files'.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

     

    This is the best view i can get for you for the specific request. Is this ok? I got it by exporting the log file as thourgh the browser is impossible due to the length of the file (200mb)

    2017:05:02-11:46:18 vpn-1 ulogd[6497]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="74:8e:f8:fa:xx:xx" dstmac="00:1a:8c:f0:xx:xx" srcip="171.33.134.xx" dstip="64.38.239.xx" proto="6" length="52" tos="0x00" prec="0x40" ttl="118" srcport="24677" dstport="80" tcpflags="SYN" 

  • 0 in reply to vasileiosg

    Hi,

    is your definition ... LB WUI bound to an interface?

    If yes then change it back to any and follow Rulz#3

    Best Regards

    DKNL

  • 0 in reply to DKKDG

    Very good point but no. It is <<any>>. I have never touched that. Not because i wanted to follow Rulz#3 but because i never knew what exactly it does. Reading #3 i see that i did good :D

  • +1 in reply to vasileiosg

    Hi Vasileiosg,

    Why did the packet match fwrule="60001"? Refer Packetfilter logfiles on the Sophos UTM.

    Any help?

  • 0 in reply to sachingurung

    Hi,

     

    this was actually GREAT help! It doesn't solve my problem but it offers some clues. I never before new about that information nor i had made the connection in my mind. Now i understand.

     

    So going to the actual original issue (please forget everything i have said so far):

     

    This rule is not working (source is different VLAN from destination):

     

    and gives this error:

     

    2017:05:03-14:19:58 vpn-1 ulogd[6497]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" 
    action="drop" fwrule="60002" initf="lag0.1060" outitf="lag0" srcmac="00:15:5d:c4:xx:xx" dstmac="00:1a:8c:f0:xx:xx" 
    srcip="10.10.6.xx" dstip="10.10.0.xx" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="49653" 
    dstport="443" tcpflags="SYN" 

    which i understand that the issue here is

    Rule 60002 generally means the traffic was not destined for the UTM, and no firewall rule matched that packet (also, no transparent interception was applied). This is known as a 'Default Drop', because by default, packets with no matching firewall rule are dropped.

    To resolve this issue, please create a firewall rule matching the traffic's source, service, and destination. In the case where transparent interception should apply, please check that the source or destination host/network isn't included on a transparent interception skip list.

    however when i change the rule to

     

    then it works. But i don't want this, because it allows access to the whole network rather than to one IP address. Interfaces are <ANY> for the objects.

  • 0 in reply to vasileiosg

    I'm still confused, Vasileious.  Please show the rule that fails like the following.  Feel free to use fake IPs, but make them realistic, not 1.2.3.4 or 192.168.x.y.  Make it so we can see whether an IP is private or public.

    80.81.82.5 -> HTTPS -> 192.168.1.2 : Allow

    Also, show the Block line from the full Firewall log file for this rule, modifying it to show the same fake IPs.

    Cheers - Bob

  • 0 in reply to BAlfson

    it is internal to internal:

     

    10.10.6.x -> HTTP+HTTPS -> 10.10.0.x: Allow

     

    2017:05:03-14:19:58 vpn-1 ulogd[6497]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="lag0.1060" outitf="lag0" srcmac="00:15:5d:c4:xx:xx" dstmac="00:1a:8c:f0:xx:xx" srcip="10.10.6.xx" dstip="10.10.0.xx" proto="6" length="52" tos="0x02" prec="0x00" ttl="127" srcport="49653" dstport="443" tcpflags="SYN"

     

    This is the exact line from the full fw log.

  • 0 in reply to vasileiosg

    Do the definitions for both Host objects in the firewall rule have 'Interface: <<Any>>' selected in 'Advanced'?

    Cheers - Bob