UTM9 Firewall Port 80 und 443 Standard erlaubt?

Wenn du web filtering eingeschaltet hast und transparant proxy ist aktiv, dann gibt den Proxy Internet zugang.

Hallo Sascha,

Erstmal herzlich willkommen hier in der Community !

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

As apijnappels observes, the traffic is not "seen" by the manual firewall rules because the hidden rules created by Web Protection handle the traffic first.  #2 in Rulz might help you understand a little better what's happening in the UTM.

MfG - Bob (Bitte auf Deutsch weiterhin.)

For you Bob, in english :D

Thx u 2 for the explanation.

Now, Im a bit smarter

Greetz

Sascha

Hallo Sascha,

ich hatte letztens genau das selbe Problem. Allerdings ging es bei mir so weit, dass der Webfilter in dem Moment alle VLANs umgeht. Also blockt man den Traffic von einem ins andere VLAN kommt man per PORT 80 und 443 trotzdem noch übergreifend in the abgesperrten Bereiche, was eigentlich nicht sein darf. 

Man muss dies dann umständlich im Webfilter blocken. Der Webfilter sitzt komplett außerhalb der Firewall und du kannst dort nix mehr wirklich blocken oder machen, was in meinen Augen eine ziemliche Lücke ist wenn man es nicht weiß und alles Weitere blockt. 

Man kommt dann auch mal vom Kunden WLAN trotzdem noch auf alle Web-Dienste innerhalb des internen Netzes. 

Gruß,
René

Hallo René,

(Sorry, my German-speaking brain still isn't creating thoughts at the moment. [:(])

You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  Ich behaupte auch eine deutsche Version, die ursprünglich vom Mitglieder hallowach übersetzt wurde, als wir zusammen im Jahre 2013 eine große Revision machten.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hey Bob,

i've talked for that problem with my reseller and they made a ticket to Sophos and they told us what Sascha said. The Webfilter is out of the firewall. The the problem is my case is that i've 2 VLANs for WLAN. One is an internal Network and one is a Guest network. So in the Firewall i've blocked all the traffic from the Guest WLAN to the internal Network but could connect to all of the internal services. So the solution was the explicitly deny traffic from the network in the Webfilter. 

But in my opinions it's a bug when you can access private parts of your network over VLANs or what do you think? The Webfilter should be before the Firewall and the firewall should block the traffic if it's said in the rule.

And i think everyone understand it. =) 

I'm telling you that my consulting clients don't have that problem, René, and neither do people that have read the document I offered above.

MfG - Bob (Bitte auf Deutsch weiterhin.)

As i said. We debugged that for some hours and asked Sophos. And the return from the Sophos Support was that the Webfilter don't use the Firewall so you have to deny it in the webfilter. Otherwise all VLANs can talk to each other over the Webfilter. On another customer i've used the Sophos APs and i think there i don't have the problem but i have to test that the next time. 

But i will check that with your paper and check if you go another way. 

It may look strange that firewall rules don't apply to the webfiltering, but in fact it's rather logical since your devices are not talking to each other directly, but they are all talking to the webfilter. Every request for a webpage is forwarded to the webfilter and the webfilter is requesting access on behalf of the original client and passes any output back to the requesting client.

In a proxy it is more logical to maintain blocklists rather than allow lists, that's why you should configure in the proxy that your guest network should not be served with output from your internal network(s).

Anyway, to set it all up, you can PM Bob for the document.