Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 8380 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot Block Port 80,443 Across Internal Networks

ArticediTor

I have three network adapters, one for WAN, LAN, and LAN2. I want to keep LAN and LAN2 isolated from one another. For the most part that's working. If I don't want ssh to cross networks, firewall rule, ssh blocked, done. All other rules I've created to manage what can and cannot cross network boundaries work fine but I cannot seem to block port 80,443 from LAN2 to LAN.

To help narrow down the problem I tried creating a rule at the top of my firewall chain to explicitly block LAN2 over HTTP, HTTPS to LAN with an action of Drop. Nope. I tried LAN2 -> Any -> LAN Drop. Nope. I added a rule in slot 2 for LAN -> Any -> LAN2 Drop. Nope.

LAN is restricted by Web Filter, Country Blocking, Intrusion Prevention, and Advanced Protection. LAN2 is not covered by the Web Filter and in Country Blocking I added a rule to allow outgoing to any country on any port. Turning off country blocking does not affect this issue.

Any ideas on what I'm missing?



This thread was automatically locked due to age.
Parents
  • +1

    Sounds like you have web filtering enabled. Web filtering will intercept all http/https traffic whereas the FW will be blocking ssh etc as expected. It's one of those gotchas that the UTM gets over on you. You will need to look a little closer at the web filter and design policies to suit or stop using the web filter and allow the FW to manage the http/https traffic

  • 0 in reply to Louis-M

    Thanks for the suggestion. Having an idea where to look helped. The web filter was causing the issue. I was able to tweak an exception that was in place and now the firewall rules act as expected. 

  • 0 in reply to ArticediTor

    Just for your info:

    another way to do it would be to:

    Under web protection > filtering options > websites > create website > enter URL, IP or CIDR and then under tags, give it a name eg blocked sites. You can then add as many CIDR's as you want etc under this tag.

    The go to your web profile > policy > websites > control sites tagged in this list > select the tag you created and select block

    That will then prevent anything that falls in that policy from accessing those sites

  • 0 in reply to ArticediTor

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to ArticediTor

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML