This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG-NAT spradisch "undicht"?

Hallo, UTM-Nutzer!

Ich habe mal ein besonderes Phänomen für Euch: [:)]

Szenario:

INTERNES Netzwerk <> SG-125-Cluster/Proxy/NAT (9.506) <> Lancom/Telekom (SIP/ISDN)/VDSL/NAT(10.12.0147) <> Internet

Soweit nichts besonderes. Läuft auch flott (VDSL 100/40).

Frage: Wer hat das Phänomen, dass auf einem vorgelagerten xDSL-Router ungenattete Datenpakete aus dem INTERNEN Netzwerk ankommen?

So ca. alle 1-6 Min erhalte ich einen Eintrag in dem FireWall-Log des Lancoms, dass ein Paket aus dem INTERNEN Netzwerk der SG-125 abgeblockt wurde.

tcp/80 (http), tcp/443 (https), tcp/5938 (teamviewer)

Ich hab nicht schlecht gestaunt.

Wird die NAT-FireWall evtl. bei internen Aktualisierungsprozessen "undicht"? ...

Gruß Andreas



This thread was automatically locked due to age.
Parents
  • Hallo Andreas,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Since this is predominantly HTTP/S traffic, please show a line, if such a one exists, from the Web Filtering log corresponding to one of the blocks above.

    Although you didn't ask, I would suggest putting the Lancom in bridge mode if possible, thus allowing the UTM to have the public IP.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Andreas,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Since this is predominantly HTTP/S traffic, please show a line, if such a one exists, from the Web Filtering log corresponding to one of the blocks above.

    Although you didn't ask, I would suggest putting the Lancom in bridge mode if possible, thus allowing the UTM to have the public IP.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hello, Bob!

    Vielen Dank für Deine Antwort und Dein Willkommen in der Community!

    Thanks for your reply and you Welcome to the Community!

    Es hat nicht direkt mit dem Webfilter zu tun. Zum Zeitpunkt des Screenshots gab es fast nur https-Traffic.

    It does not have to do with the webfiltering. At the time, the screenshot was made, the most traffic was https.

    Actual timestamp / Aktueller Auszug:

    Ich hab 2 Beispiele (08:06:31, 08:05:39) aus den Logs extrahiert: Weder ein Eintrag im WebFilter-log, NOCH im FireWall-Log!

    I extracted 2 examples (08:06:31, 08:05:39) - there is neither an entry in the http-log, NOR in the packetfilterlog!

    You can't find the ips: 212.79.62.249, 91.228.167.36.

    http.log:

    2018:03:12-08:05:28 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1730" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="185" avscantime="5083" fullreqtime="121959" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:28 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x950cc00" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="454" cattime="168" avscantime="4938" fullreqtime="44447" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1730" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="180" avscantime="5089" fullreqtime="127311" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9466600" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="185" cattime="181" avscantime="5235" fullreqtime="45160" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1732" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="197" avscantime="5035" fullreqtime="126850" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xda892c00" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="403" cattime="169" avscantime="5292" fullreqtime="44268" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1732" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="191" avscantime="4744" fullreqtime="121930" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdc840600" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="184" cattime="153" avscantime="5122" fullreqtime="45180" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1732" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="178" avscantime="5139" fullreqtime="134805" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdcb57000" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="185" cattime="175" avscantime="4888" fullreqtime="45645" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1732" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="196" avscantime="5073" fullreqtime="135744" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="104.74.143.169" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9469000" url="go.microsoft.com/.../ referer="" error="" authtime="0" dnstime="179" cattime="168" avscantime="5108" fullreqtime="45048" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="9998" reputation="unverified" categoryname="Uncategorized"
    2018:03:12-08:05:29 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="int.ern.al.23" dstip="52.138.148.159" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1732" request="0xd92d6600" url="dmd.metaservices.microsoft.com/.../metadata.svc" referer="" error="" authtime="0" dnstime="0" cattime="209" avscantime="5234" fullreqtime="135098" device="0" auth="0" ua="MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT" exceptions="av,sandbox,ssl,fileextension,size" category="177" reputation="neutral" categoryname="Content Server" content-type="text/xml"
    2018:03:12-08:05:35 firewall-2 httpproxy[5618]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="int.ern.al.31" dstip="68.232.34.240" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7448" request="0xda9baa00" url="download.windowsupdate.com/.../9946985_bd1510311d13985cdb2ddeff406971b3bab3e2c8.cab" referer="" error="" authtime="0" dnstime="0" cattime="43888" avscantime="0" fullreqtime="31956889" device="0" auth="0" ua="Windows-Update-Agent" exceptions="av,sandbox,ssl,fileextension,size" category="175" reputation="trusted" categoryname="Software/Hardware" content-type="application/vnd.ms-cab-compressed"

     

    packetfilter.log:

    2018:03:12-08:04:49 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="172.217.23.129" dstip="wan.ip.sophos.10" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="443" dstport="45606" tcpflags="ACK FIN"
    2018:03:12-08:05:12 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="171.233.24.75" dstip="wan.ip.sophos.10" proto="6" length="44" tos="0x00" prec="0x00" ttl="48" srcport="28104" dstport="2323" tcpflags="SYN"
    2018:03:12-08:05:19 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="191.19.176.146" dstip="wan.ip.sophos.10" proto="6" length="44" tos="0x00" prec="0x00" ttl="243" srcport="834" dstport="23" tcpflags="SYN"
    2018:03:12-08:05:21 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="185.222.211.35" dstip="wan.ip.sophos.10" proto="6" length="44" tos="0x00" prec="0x00" ttl="247" srcport="50340" dstport="8186" tcpflags="SYN"
    2018:03:12-08:05:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="5.188.11.11" dstip="wan.ip.sophos.10" proto="6" length="44" tos="0x00" prec="0x00" ttl="247" srcport="47946" dstport="7613" tcpflags="SYN"
    2018:03:12-08:06:28 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31477" tcpflags="ACK RST"
    2018:03:12-08:06:28 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31464" tcpflags="ACK RST"
    2018:03:12-08:06:28 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31471" tcpflags="ACK RST"
    2018:03:12-08:06:28 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31470" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31469" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31468" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31458" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31457" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31463" tcpflags="ACK RST"
    2018:03:12-08:06:29 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="104.74.143.169" dstip="wan.ip.sophos.10" proto="6" length="52" tos="0x00" prec="0x00" ttl="59" srcport="80" dstport="31462" tcpflags="ACK RST"
    2018:03:12-08:06:36 firewall-2 ulogd[31090]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="00:a0:57:ex.ern.mac" dstmac="00:1a:8c:in.ter.mac" srcip="210.121.164.121" dstip="wan.ip.sophos.10" proto="6" length="44" tos="0x00" prec="0x00" ttl="51" srcport="45157" dstport="22" tcpflags="SYN" 

     

    Keinen Hinweis auf eine regel/nat-verletzung

    Nothing about rule/nat-violations.

     

    btw / was mir aufgefallen ist:

    wenn man den Cluster auf 9.508-10 upgraden will wird folgender rsync-fehler im hs.log protokolliert. // starting upgrade to 9.508-10 - a rsync-connection issue is logged in ha-log:

    2018:03:12-10:06:18 firewall-1 ha_daemon[4013]: id="38A0" severity="info" sys="System" sub="ha" seq="S:   48 18.147" name="HA control: cmd = 'sync start 2 database'"
    2018:03:12-10:06:18 firewall-1 ha_daemon[4013]: id="38A0" severity="info" sys="System" sub="ha" seq="S:   49 18.147" name="Activating sync process for database on node 2"
    2018:03:12-10:06:18 firewall-1 ha_daemon[4013]: id="38A0" severity="info" sys="System" sub="ha" seq="S:   50 18.505" name="Monitoring interfaces for link beat: eth0"
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [i] execute(1768): rsync: failed to connect to 198.19.250.2: Connection refused (111)
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [i] execute(1768): rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936): rsync failed on $VAR1 = {
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936):           'path' => '/postgres.default',
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936):           'dst' => '/var/storage/pgsql92/',
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936):           'module' => 'postgres-default'
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936):         };
    2018:03:12-10:06:20 firewall-1 repctl[5898]: [c] standby_clone(936): (Attempt #:1)
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [i] execute(1768): rsync: failed to connect to 198.19.250.2: Connection refused (111)
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [i] execute(1768): rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [c] standby_clone(936): rsync failed on $VAR1 = {
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [c] standby_clone(936):           'path' => '/postgres.default',
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [c] standby_clone(936):           'dst' => '/var/storage/pgsql92/',
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [c] standby_clone(936):           'module' => 'postgres-default'
    2018:03:12-10:06:31 firewall-1 repctl[5898]: [c] standby_clone(936):         };
    ...
    2018:03:12-10:08:10 firewall-1 repctl[5898]: [i] stop_backup_mode(765): stopped backup mode at 00000001000000360000009A
    2018:03:12-10:08:10 firewall-1 repctl[5898]: [c] standby_clone(950): standby_clone failed: sync aborted (never executed successfully)

    ein Failover klappt fehlerfrei, Neustart des SLAVE-Knotens ist erfolgreich - Cluster wird wieder aktiviert. // failover is working correctly, restarting slave-node is working conrrectly - cluster is coming back w/o errors

    Den lancom werde ich nicht neu konfigurieren: 3 Gründe:

    1) das Gerät wird von der DTAG gemanaged, 2) am lancom hängt eine TK-Anlager per SIP/ISDN, 3) NAT ist NAT - da ist die WAN-IP der Sophos egal, oder nicht?

    I won't reconfigure the lancom/Spophos-Tandem: 3 reasons:

    1st) the lancom-device is managed by the German Telekom, 2nd) the Lancom is managing the SIP/ISDN-call-handling - the pbx is directly connected via ISDN, 3rd) NAT is NAT, isn't it? The wan-ip does not matter.

    Vielen Dank für Deine Gedanken! // Thank you for your thoughts!

    Andreas

  • Hello, BOB!

    Ich habe eine erneute Protokoll-Analyse vorgenommen. Diesmal mit aktiviertem FireWall-Logging der betroffenen Regeln:

    I started a new protocol-analyzing /w activating firewall-rule-logging.

    Nun sieht man im Packetfilter-Log und im Lancom-Protokoll die korrespondierenden Einträge:

    Now I see the corresponding entries in the packet-log and the lancom-ips-log:

     

    packetfilter-log:

    #1

    2018:03:12-14:31:36 firewall-2 ulogd[31090]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="14" initf="eth0" outitf="eth1" srcmac="00:24:1d:mac:adr:01" dstmac="00:1a:8c:mac:adr:02" srcip="inr.ern.ip.77" dstip="162.125.66.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49669" dstport="443" tcpflags="ACK RST"

    2018:03:12-14:31:36 firewall-2 ulogd[31090]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="14" initf="eth0" outitf="eth1" srcmac="00:24:1d:mac:adr:01" dstmac="00:1a:8c:mac:adr:02" srcip="int.ern.ip.77" dstip="162.125.66.3" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="49696" dstport="443" tcpflags="SYN" 

    #2

    2018:03:12-14:29:26 firewall-2 ulogd[31090]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="14" initf="eth0" outitf="eth1" srcmac="00:24:1d:mac:addr:01" dstmac="00:1a:8c:mac:adr:02" srcip="int.ern.ip.77" dstip="162.125.33.7" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49683" dstport="443" tcpflags="ACK RST" 2018:03:12-14:29:26 firewall-2 ulogd[31090]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="14" initf="eth0" outitf="eth1" srcmac="00:24:1d:mac:adr:01" dstmac="00:1a:8c:mac:adr:02" srcip="int.ern.ip.77" dstip="162.125.33.7" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="49695" dstport="443" tcpflags="SYN"


    here the screenshot lancom-log:


    Genau diese Pakete werden ungenattet durchgelassen...
    Exactly these packets are passing the nat...

    Im tcpdump sind NUR Pakete mit F oder R-Flag auf eth1 zu sehen.
    Using the tcpdump-tool shows only f or r-flagged packets on eth1.

    Dann werden SYN-Pakete genattet - gut, sonst käme nie eine Verbindung zustande, R oder F - Pakete offenbar nicht (immer). [:S]
    Syn-packets are always natted correctly, f/ack rst/rst-packets not every time. [:S]

    Andreas
  • Hallo, Bob & MenschBärSchwein!

    Das ist wohl ein Packetfilter/NAT-Design-Fehler. Er tritt auf, wenn eine Verbindung mit einem FIN/RST-Paket mehrfach beendet wird. Das Paket kann dann keiner Verbindung zugeordnet werden und wird bei einer "any"-Regel ohne NAT weitergeleitet.

    It seems to be an packetfilter / nat-engine-design-error. It occurs, if another FIN/RST-packet is sendt after the connection was already closed in the connectiontable. The packet cannot accociated to an existing connection and went through the any-rule...

    [:|]

    Der "Bug" ist schon 2012 diskutiert, aber nicht gelöst worden / the "bug" is reported in 2012, but not solved:

    https://bugzilla.netfilter.org/show_bug.cgi?id=693

    [:S]

     

    UTM-Solution: Network Protection / FireWall / Advanced: Block invalid Packets.

    XG: Die FireWall läuft bereits im strict-mode. Da kann man nur auf der Shell Ausnahmen definieren.

    Und dann ist Ruhe im Karton ...

    [:)]

    Gruß
    Andreas

  • "Block invalid Packets"

    Ein schöner Tag für mich - dank Andreas hab' ich 'was neues gelernt !

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo, Bob!

    Vielen Dank! Das ist sehr nett von Dir! Aber auch ich lerne auch immer wieder von anderen [:)].

    Und ich füge noch eine Zusatzinfo hinzu, um weitere Schwierigkeiten zu vermeiden:

    Der Haken "Block invalid packets" sorgt in diversen Netzwerken für Störungen. Und zwar in DEN Netzwerken, in denen folgende Struktur "eingebaut" sind:

    A) Alle Systeme arbeiten normalerweise mit einem Default-GW (=UTM), B) Ein oder mehrere Netzwerksegmente sind über einen WEITEREN Gateway im GLEICHEN Netzwerk erreichbar und C) Der Einfachheit halber wird auf der UTM eine Route gesetzt, um diese(s) zusätzliche(n) Netzwerk(e) zu erreichen.

    Die Folge: Asymmetrisches Routing:

    Hinroute: PC > UTM > Zusatzgateway > Zielhost // Rückroute: Zielhost > Zusatzgateway > PC (damit ist die UTM in der Rückroute aussen vor und der Packetfilter "sieht nur die Hälfte" des Datenstromes. Folglich: Er muss in diesem Datentrom die INVLID-Packets durchlassen.

    Unter der XG/Cyberoam ist dieses Szenario ohnehin "not recommended". Ein INAVLID-Traffic und muss mit einer advanced-firewall-Ausnahme auf der Shell konfiguriert werden.

    Dieses Kontstrukt ist in vielen Netzwerken anzutreffen. Ein Setzen der Advanced Option killt jedoch einiges an Traffic (TCP/UDP). RDP meldet zum Beispiel "Protokollfehler". In diesen Szenarien muss der Haken entfernt werden, ebenso der Haken "Strikte TCP-Sitzungsverwaltung verwenden".

    Alternative?

    Möglich wäre es, auf den PC's/Server zusätzliche Routen zu setzen (route (-p) add ... im Anmeldescript, o.ä.).

    Möglich wäre auch, den Traffic an der UTM zu natten (unschön, da sich der gesamte Traffic nicht mehr im Zielnetz differenzieren lässt...).

    Oder: Um das zu umgehen, müsste das NIC-Layout der UTM/FireWall oder das Netzdesign überdacht werden: Z.B: das LAN-Interface als "mid. 2-NIC-Bridge" ausgeführt werden, an welchen Interfaces zum einen Interne Host und zum anderen der zusätzliche Router im gleichen Netzwerk angeschlossen werden muss. Das sollte auch unter der UTM funktionieren. Dann durchläuft der NETZINTERNE Traffic durch die UTM zum Router und den anderen angeschlossenen Netzwerksegmenten auch den Packetfilter der FireWall. das bietet die Basis zur "Härtung" der Sicherheit.

    Die Problematik ist, dass viele Netzadmin "der Einfachheit halber" solche Konstrukte einsetzen. Man kennt es von Routern (la FBox), die solche Optionen anbieten. Um Umkehrschluss bedeutet das, dass man zulassen MUSS, dass diese INVALID-Pakete mit internen IP-Informationen (gewollt oder ungewollt) nach außen dringen können.

    Nur, dass sich niemand beschwert, "seitdem er den Haken gesetzt hat, geht die Hälfte nicht mehr" [:'(]...

    Viele Grüße

    Andreas (CCNSE)