This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - range of ports

So I've got a web application that needs not only 443 but also a range of additional ports; for eg. 30000-30200.

I want/need the higher range ports to be inspected/protected through WAF, I don't want to just blindly open them up to the outside.

I thought I could use a NAT, but can't use a virtual Webserver as the target.

I can only put a single port in the virtual Webserver Port field.

 

What's a fella to do, except add 200 virtual servers and 200 real servers?

 

UTM9 9.601-5



This thread was automatically locked due to age.
  • Are you sure you don't need just NAT and/or a firewall rule for 30000:30200?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Mr. Alfson,

    I understand it's a strange request. 

    I didn't want to go into the details of the application but suffice to say I want all the inbound traffic inspected as though it were a web client making a request.

    A NAT and FW rule would bypass that, no?

  • Soooo on a regular linux box I can do a: iptables -t nat -A PREROUTING -p tcp --dport 30000:30200 -j REDIRECT --to-ports 443 

    This would redirect all the traffic from the dports to 443 where it would be treated accordingly by the installed firewall.

    Can I setup this kind of prerouting on UTM9 with NAT?  (Maybe rulz 2.7)

  • I haven't tried it, but 'DNAT : Internet -> {30000:30200} -> External (Address) : to 443' should work.  Note that if these are response packets to a request from you, the rule is unnecessary as the connection tracker will handle the traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    Is this question really about WAF

    IMHO this is about WAF and working around the inability to select a range of ports to proxy to the web server... but who am I to say.

     

    BAlfson said:
    'DNAT : Internet -> {30000:30200} -> External (Address) : to 443' should work. 

    Here's what I did:

    Traffic selector:   Any →   {30000:30200} →   External (WAN) (Address)
    Destination translation: External (WAN) (Address)  -> {443}
    Automatic Firewall rule: X
    Initial packets are logged: X 

    By doing it this way, as opposed to directing the traffic directly to the server, the traffic is run through WAF (I hope).

    It appears to be working.

    BAlfson said:
    Note that if these are response packets...

    These are request packets originating from outside.  So what would be really cool is if I could use WAF to filter for the specific request pattern.  Or would that be somewhere else?           (I realize I'm changing the subject so if I should start a new topic, say so, I'll just reference this for the history.)

    And thank you very much for the suggestion!

  • You will want to get in the habit of leaving unchanged fields blank although that's not critical to the success of this rule: 'Destination translation: {blank}  -> {443}'.  See #5 in Rulz.

    Yes the traffic is going through WAF.  I'll move this thread from General Discussion to the Web Server Security sub-forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA