This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.405] Possible bug in HTTP-proxy

Hi,

I've noticed a strange thing today. First our setup:

ASG 7.405 with lots of VLANs and transparent HTTP proxy.

In our place we have many different companies accessing internet behind our ASG. I've configured every company on different LANs using VLANS.

Now i've discovered that every company that uses our http-proxy can access any of the other VLANs printers (webinterface) on the different VLANS, even though i've setup rules like this:

LAN2 > service: any > LAN1- drop/reject

Example:

LAN1: 192.168.2.x
LAN2: 192.168.10.x
LAN1 printer: 192.168.2.114

Users on LAN2: can browse to http://192.168.2.*** and access the webinterface of the printer. This shouldn't be working since i have PF-rules denying access. Somehow the proxy seem to override these rules

But, if i remove the company's LAN from the proxy, and add HTTP as a packetfilter rule, then they can't access our printers webinterface.

So, what's the deal here? Why is the proxy overriding these rules making it insecure?

Any ideas?

Thank you

This thread was automatically locked due to age.

Parents

0 BAlfson over 16 years ago

Coder68's suggestion will work.  Another member here, esev, and I have worked together on a document for the KnowledgeBase that deals with this problem.

The general idea is that you need a separate HTTP Profile in Standard (or other non-transparent) mode for each customer.  The main HTTP setup is in Transparent mode, blocks everything and includes all VLANs in the transparent mode skiplist with 'Allow HTTP traffic for listed hosts/nets' not checked.

The customers VLANs should not be in 'Allowed Networks' for DNS.  If you provide DHCP for them, you should provide only the external DNS servers of your ISP.  At the top of the Packet Filter list, add: 'Any -> DNS -> Internet : Allow'; Instead of 'Any', you might use "Customers" = 192.168.0.0/16, for example.

Create another PF rule near the bottom (using, for example, the definition above): 'Customers -> Any -> Customers : Drop'.

Customers wishing to access the Internet will need to point their browsers at the Astaro Proxy and select the option to 'Bypass the proxy for local addresses'.

You can click on my name above and email me if you would like a draft copy of the document in its current state.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 16 years ago

Coder68's suggestion will work.  Another member here, esev, and I have worked together on a document for the KnowledgeBase that deals with this problem.

The general idea is that you need a separate HTTP Profile in Standard (or other non-transparent) mode for each customer.  The main HTTP setup is in Transparent mode, blocks everything and includes all VLANs in the transparent mode skiplist with 'Allow HTTP traffic for listed hosts/nets' not checked.

The customers VLANs should not be in 'Allowed Networks' for DNS.  If you provide DHCP for them, you should provide only the external DNS servers of your ISP.  At the top of the Packet Filter list, add: 'Any -> DNS -> Internet : Allow'; Instead of 'Any', you might use "Customers" = 192.168.0.0/16, for example.

Create another PF rule near the bottom (using, for example, the definition above): 'Customers -> Any -> Customers : Drop'.

Customers wishing to access the Internet will need to point their browsers at the Astaro Proxy and select the option to 'Bypass the proxy for local addresses'.

You can click on my name above and email me if you would like a draft copy of the document in its current state.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data