Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 8863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules with multiple interfaces

Krrish Raj

One tutorial I was checking for implementing SOPHOS UTM 9, implemented one inside interface and one outside interface. Routing table was created such that external traffic from other subnets were pointed to inside interface of firewall and inside subnet(internal interface of sophos was in this subnet)  was sending external traffic to outside interface. Other subnets accepted traffic from inside subnet only. Then firewall rules were setup. I have few questions regarding this implementation-

 

1. When we apply firewall rules , which interface it gets applied to in case if multiple interfaces ? As in iptables we specify the interface on which the rule has to be applied, here I can see only source, destination and service. Sp how the rule gets applied as we are not specifying any interface. Suppose I set up a rule that traffic from p.q.r.s going to service xyz has to be dropped, then where will it get dropped ? On external outside interface or inside interface ?

 

2. What is the use case of having multiple interfaces ? I can directly connect my subnets to send traffic to outside interface of Sophos and set up firewall rules at external interface such as drop all packets coming from p.q.r.s for service xyz. Why do we create separate inside and outside interface. I tried applying all firewall rules using outside interface only and it works as expected, then what are the use cases for creating separate interfaces ?



This thread was automatically locked due to age.
Parents
  • 0

    Hey Krrish.

    I'm having a real hard time understanding your question. To which tutorial are you referring to? Let me try to answer you the best I can.

    1) The rules are applied based on the objects you place under "Source" and "Destination". Taking you example, if you want to block your internal devices from accessing service xyz on destination p.q.r.s, your rule would be Internal Network -> xyz -> p.q.r.s -> drop/reject. The UTM will figure out where to apply the rule by its own. Bear in mind that, different from SoHO routers, Sophos UTM blocks everything and only allow the traffic you specifically allow by creating firewall rules, so I would focus os creating rules to allow stuff instead of rules to block them. You should check Rulz for a better understanding of how things work on Sophos UTM.

     

    2) I really don't understand this question. This is how it works everywhere: you need a WAN, public, interface and one (or several) LAN, private, interfaces(s). You rules work because the UTM knows where to apply them based on the objects you set under Source and Destination. When you use your WAN interface as the source on a firewall rule, as per your example, the only difference is that the packet will be dropped later on during the processing. You would benefit from blocking it before it even enters the queue by using your internal network as the source, that is assuming that what you are blocking is in fact communication from your internal network to the internet. That way the UTM has less processing to do and by consequence less processing power is used.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Hi,

    As you mentioned that the UTM is intelligent enough to decide on which interface the rule has to be applied clears the first confusion

    Regarding the second one I will try to be more expressive.

     

    VPC has 4 subnets right now-  sophos-outside, sophos-inside, application and database.

    Sophos has two interfaces, inside and outside

    Outside interface of sophos lies in sophos-outside subnet, inside interface in sophos-inside subnet. Application and database subnets have application and database servers respectively.

    There are two routing tables

    1.  Route all traffic going to 0.0.0.0 to inside interface of sophos. This is being used by all subnets except sophos-outside subnet.

    2. Route all traffic going to 0.0.0.0 to internal gateway. This is being used by sophos-outside subnet only.

     

    Security rules are such that application servers accept traffic from inside-subnet only.

    Snat rules are set to change source address to inside interface address for certain traffic so that it gets accepted by application servers.

     

    Now I am confused because I can't see any real use of inside-interaface because-

     

    1. Rather than sending external traffic to inside-interface of UTM we can direct to outside interface only.

    2. For traffic to be accepted by application servers, we can change source address to inside interface address without having any internal interface. (I think that there will be problem for the reply to come back as it will be have inside-interface ip in destination which will not exist, but I am not sure )  

    3. Also as the inside-subnet is also using routing table which says that forward any external traffic to inside-interface of Sophos, why is there no loop created. For example application server sends packet to p.q.r.s, it will go to inside interface of sophos. Now from here again it will loop back to same interface according to subnet rules. Is it the case that sophos automatically forwards traffic to outside-interface of sophos rather than sending packet back to router ?

    The questions may be vary silly, but I am very new to it and I want to understand it properly. So sorry for the inconvenience.

     

    Regards

  • 0 in reply to Krrish Raj

    Ah, so we're talking about Sophos UTM on AWS here? That changes things a bit. Since I have very little experience with this scenario, I'll leve it for someone more seasoned on the subject to help you.

    Regards,

    Giovani

Reply Children
No Data
Unfiltered HTML