Firewall rules with multiple interfaces

Hey Krrish.

I'm having a real hard time understanding your question. To which tutorial are you referring to? Let me try to answer you the best I can.

1) The rules are applied based on the objects you place under "Source" and "Destination". Taking you example, if you want to block your internal devices from accessing service xyz on destination p.q.r.s, your rule would be Internal Network -> xyz -> p.q.r.s -> drop/reject. The UTM will figure out where to apply the rule by its own. Bear in mind that, different from SoHO routers, Sophos UTM blocks everything and only allow the traffic you specifically allow by creating firewall rules, so I would focus os creating rules to allow stuff instead of rules to block them. You should check Rulz for a better understanding of how things work on Sophos UTM.

2) I really don't understand this question. This is how it works everywhere: you need a WAN, public, interface and one (or several) LAN, private, interfaces(s). You rules work because the UTM knows where to apply them based on the objects you set under Source and Destination. When you use your WAN interface as the source on a firewall rule, as per your example, the only difference is that the packet will be dropped later on during the processing. You would benefit from blocking it before it even enters the queue by using your internal network as the source, that is assuming that what you are blocking is in fact communication from your internal network to the internet. That way the UTM has less processing to do and by consequence less processing power is used.

Regards,

Giovani

Hi,

As you mentioned that the UTM is intelligent enough to decide on which interface the rule has to be applied clears the first confusion

Regarding the second one I will try to be more expressive.

VPC has 4 subnets right now-  sophos-outside, sophos-inside, application and database.

Sophos has two interfaces, inside and outside

Outside interface of sophos lies in sophos-outside subnet, inside interface in sophos-inside subnet. Application and database subnets have application and database servers respectively.

There are two routing tables

1.  Route all traffic going to 0.0.0.0 to inside interface of sophos. This is being used by all subnets except sophos-outside subnet.

2. Route all traffic going to 0.0.0.0 to internal gateway. This is being used by sophos-outside subnet only.

Security rules are such that application servers accept traffic from inside-subnet only.

Snat rules are set to change source address to inside interface address for certain traffic so that it gets accepted by application servers.

Now I am confused because I can't see any real use of inside-interaface because-

1. Rather than sending external traffic to inside-interface of UTM we can direct to outside interface only.

2. For traffic to be accepted by application servers, we can change source address to inside interface address without having any internal interface. (I think that there will be problem for the reply to come back as it will be have inside-interface ip in destination which will not exist, but I am not sure )  

3. Also as the inside-subnet is also using routing table which says that forward any external traffic to inside-interface of Sophos, why is there no loop created. For example application server sends packet to p.q.r.s, it will go to inside interface of sophos. Now from here again it will loop back to same interface according to subnet rules. Is it the case that sophos automatically forwards traffic to outside-interface of sophos rather than sending packet back to router ?

The questions may be vary silly, but I am very new to it and I want to understand it properly. So sorry for the inconvenience.

Regards

Ah, so we're talking about Sophos UTM on AWS here? That changes things a bit. Since I have very little experience with this scenario, I'll leve it for someone more seasoned on the subject to help you.

Regards,

Giovani

As Giovani suggests, read Rulz, especially #2 through #4.  WebAdmin manipulates databases of objects and settings.  The configuration daemon then creates the lines of iptables  (and other) code that actually run the UTM.  The diagrams in the Rulz post should help you "see" what's going on.

I'm a visual-tactile learner, so I would have to draw a diagram to be able to understand your description.  I suspect I'm not alone, so maybe you could show one with representative addresses and subnets.  Nothing fancy, just a picture of a hand-drawn diagram would suffice.

Cheers - Bob
PS As a moderator here, I can move this thread to the "UTM on AWS" forum if you think that's where this needs to be.

As Giovani suggests, read Rulz, especially #2 through #4.  WebAdmin manipulates databases of objects and settings.  The configuration daemon then creates the lines of iptables  (and other) code that actually run the UTM.  The diagrams in the Rulz post should help you "see" what's going on.

I'm a visual-tactile learner, so I would have to draw a diagram to be able to understand your description.  I suspect I'm not alone, so maybe you could show one with representative addresses and subnets.  Nothing fancy, just a picture of a hand-drawn diagram would suffice.

Cheers - Bob
PS As a moderator here, I can move this thread to the "UTM on AWS" forum if you think that's where this needs to be.

Hi,

 Rulz cleared most of the confusions. 

Regarding the interfaces in firewall, I was getting confused because AWS gives both private and public ip to same interface. From their side they NAT the requests meant for public ip for an interface to private ip of that interface. So in my case everything was working fine even in case of single interface because that interface was receiving public traffic as well as sending outbound traffic. Please correct me if any of this seems to be wrong.

Now what I am wondering is that in this scenario is it required to have two different interfaces ?

Thanks