Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 9462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT black hole/null routing not working

Bobby Tables

I have been reading through Rulz and this earlier post trying to get my blackhole/null route working with DNAT since my firewall rules were not (as explained by Rulz).  From the latter link, BAlfson said the following is a valid DNAT configuration:

"DNAT : {group of bad IPs} -> Any -> {group of WAN (Address) objects} : to {non-existent IP}"

So I changed my configuration to look just like that:

  • "Bad actors" contains a variety of IP address Host objects,
  • "x Interfaces" contains a variety of * (Address) network objects

  • and "Black hole" is another Host object pointing to an invalid IP, which in my mind completes the null route creation

As you can see, I've told it to create an automatic firewall rule, and verified it is the first firewall rule to be processed after toggling all other NAT rules off and on again:

 

As a test, I added NPR.org's IP address to Bad actors, and then tried visiting their website via that same IP (HTTP & S) and it still loaded fine.

From what I can tell, there are no exceptions in place for my machine.

Am I contradicting the DNAT by adding both my external WAN interface IPs and the LAN interface IPs?

EDIT: disregard above question, I've tried only having external interfaces as well as just the 1 external interface (address) object with no change.

 

What should I try next? 



This thread was automatically locked due to age.
Parents
  • 0

    DNAT rule will only work for traffic initiated from your bad actors group arriving at the addresses you specified. If you initiate a connection from your side (visiting a website) the return traffic will just arrive over the open connection.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    That makes sense.  Thanks to both of you for enlightening me...clearly I needed to spend more time researching DNAT and SNAT.

     

    Anyways, since I wanted to block traffic in both directions I ended up creating a SNAT rule with the opposite conditions, still routing to a non-existent IP.

     

    I should also say I'm only messing with NAT because I understand from Rulz the UTM processes NAT before any firewall rules.  It makes sense as to why they weren't 'applying' due to the order of request handling.  I think my problem was I simply had a fundamental misunderstanding of NAT.  

     

    Would you all recommend a different way to blacklist IPs?  Since I'm using the same Bad actors group in both DNAT and SNAT rules, I should only need to add to the single group any time I come across another bad actor.  However, I'm sure you can tell this is new territory to me so I'm definitely open to suggestions.

     

    Thanks again!

  • 0 in reply to Bobby Tables

    If you don't want return-traffic to be able to reach your clients, then you will most likely also don't want your clients to reach those "bad actors" at all. I would simply create a firewall rule (high in the chain) to drop traffic to those bad actors and also in web filtering configure those not to be reachable. That way if your clients cannot connect to it, there will also be no return-traffic.

    The DNAT will then take care for the bad-actors not being able to connect to your environment.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0 in reply to Bobby Tables

    If you don't want return-traffic to be able to reach your clients, then you will most likely also don't want your clients to reach those "bad actors" at all. I would simply create a firewall rule (high in the chain) to drop traffic to those bad actors and also in web filtering configure those not to be reachable. That way if your clients cannot connect to it, there will also be no return-traffic.

    The DNAT will then take care for the bad-actors not being able to connect to your environment.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Unfiltered HTML