Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 9022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT port blocking

edo terzic

Hello sophos forum users,

I setup my NAT rules so I would block all traffic except a safe service group which contains only HTTP and HTTPS.

If I turn off rule #1 I can't access it at all, so it would seem that it is working.

Any ideas on how I can test if I can access a port of an instance behind a sophos WAF ?



This thread was automatically locked due to age.
Parents
  • 0

    Hey Edo.

    I'm confused. Are you using DNAT or WAF? One exempts the other.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Hey Gioviani

    I am using a WAF, but i din't find any options for port blocking so i'm using DNATs just for that

  • 0 in reply to edo terzic

    Well, to me you are defeating WAF's purpose altogether. If I understand correctly, your DNAT rule is forwarding HTTP and HTTPS to the webserver and probably bypassing WAF. The concept of WAF is that you don't allow direct connections to your protected web servers at all. The request lands on the UTM, which analyses and scans the traffic and then proxies it to the server. There's no need to do any port blocking at all, as the default behavior of the UTM firewall is to block any traffic unless otherwise allowed.

    Unless we're talking about ports/services other than HTTP/HTTPS, a case on which you would need extra DNAT rules.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Ty for your input Giovani

    Now that you mention it this bypasses the WAF altogether which I didn't think about before.

    I was thinking that I should close down any unused ports, but the more I think about it the more I see that it is unnecessary.

    Regards, Edo

  • +1 in reply to edo terzic

    It really is. As I said, if it's not explicitly allowed, it's blocked. With UTM you don't really need to bother on closing things down as you would on a regular router.

    Thinking about it a little more, you mentioned that when you disabled the first DNAT rule nothing worked. That is probably because your second DNAT rule breaks WAF as well, as you enabled automatic firewall rules and that would drop connections from "any" using HTTP/HTTPS to your web server, which includes the UTM itself. I would get rid of both DNAT rules and let WAF do its job.

    Regards,

    Giovani

  • 0 in reply to edo terzic

    Edo, see #2 in Rulz to understand why Giovani said what he did about DNATs.

    See #4 to understand why your DNATs weren't working.  If you fixed that and replaced DNAT 1 with a NoNAT rule, you would accomplish what you originally said you wanted.  Again, reread rule #2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to edo terzic

    Edo, see #2 in Rulz to understand why Giovani said what he did about DNATs.

    See #4 to understand why your DNATs weren't working.  If you fixed that and replaced DNAT 1 with a NoNAT rule, you would accomplish what you originally said you wanted.  Again, reread rule #2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML