This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule to block internal network traffic to internal network is not working. File sharing is still allowed.

I'm trying to block devices on the internal network from accessing other devices on the internal network.

Simple, right? Of course not....

 

I create a firewall rule Internal (Network)->ANY->Internal (Network)->Block

even Internal (Network)->File Transfer, Media Streaming, Web Surfing->Internal Network->Block.

 

I even went as far as adding my specific devices. To block all traffic from my phone to my Windows PC, but when file sharing is turned on in Windows, I am able to browse my shared file freely from my Android device using the X-plore app.

Now this should not be possible since the firewall rule is set to totally block any data from internal device accessing other devices on the LAN. The firewall rule that allows all traffic from Internal to IPv4 should not be causing this issue since IPv4 is "the internet" and does not include file sharing services. Perhaps the X-plore app is using some strange protocol to access my network share that is bypassing the firewall?

So I found out that Windows was using port 445 for media streaming, and I added CIFS to the services in the firewall rule but the rule is still bypassed. Web filtering is set to transparent mode

 



This thread was automatically locked due to age.
  • Big issues here. I just deleted every single firewall rule and yet I am able to browse the internet which I should not be able to do since the "web browsing" firewall rule Internal->ANY->Internet IPv4->allow isn't even listed anymore and this never used to happen. Internet browsing should be blocked until this rule is created and enabled.

     

    How am I even browsing the internet right now???

     

  • New to the UTM by any chance? It can take a little getting used to.

    Lets deal with them in order:

    1. The UTM will not block layer 2 traffic as most likely they are communicating directly with each other at layer 2 and not going anywhere near the UTM. An example of this would by two pc's connected to a switch. The pc's communicate directly with each other if on the same subnet. Exceptions to this if if they are on separate vlans and inter-vlan traffic is blocked.

    2. The reason you can reach the internet with no firewall rules is because you have enabled the web proxy and web traffic is going through that. You can confirm this by having no rules and disabling the proxy. You will then have no access.

    The UTM does have it's learning points like this and I too was caught out because we're used to the old FW rules needing to be in place. Basically a good rule of thumb is.... if a proxy is enabled eg smtp, web, WAF etc, the traffic will hit that first before the firewall rules (with a few exceptions)

    That is why I would advise to read an excellent document created on here called RULZ. Read it, then read it again (particularly the order of connections rule #2) and you will gain an overview of how the UTM works. Trust me, you will not regret it when it comes to scratching your head.

    For me, I've tried to come away from the old SNAT, DNAT & FW rules as much as I can an use all of the proxies as they offer far more granularity. Not possible in all cases though.

    Happy UTMing!

  •  That the LAN is connected through a switch and not flowing through the UTM. That explains why no firewall rule was blocking LAN traffic. No why didn't I think of that? 

  • Here's a link the Rulz. Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA