This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forwarding HTTPS 443 to port 3000

Hello everyone,

 

I have a question that I don't seem to be able to solve.

I want to redirect incoming traffic on the port 443 to an internal server port 3000

 

This is the DNAT rule I have configured.

Now when I go to the following HTTP://IPADDRESS:443 I get redirected to the correct page.

When I try to go to HTTPS://IPADDRESS I cannot make any connection? So the NAT rule is working but the HTTPS is not working.

My questions is this a firewall setting I need to adjust or is this something I need to adjust at the backend?

 

Kind regards,

Thomas



This thread was automatically locked due to age.
Parents
  • Hi Thomas,

    Welcome to the Sophos Community.

    I have 3 questions

    1. Is port 3000 set to udp or tcp, is it the correct type (i'm sure you checked this)?

    2. is there another rule above this rule that is conflicting with it?

    3. when trying to access the resource/page, is there anything displayed in the live log or firewall log?

     

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • First of all thanks for the reply.

     

    Answer to your questions:

    1. The port is set to TCP but i've also changed it to UDP and UDP/TCP wihtout success

    2. I don't see any NAT rules that would conflict with it. I tried putting the NAT rule on top but without success

    3. In the firewall log I see this:

     

     

    This is what I see in the firewall logs.

    The strange things is that when I go to http://myip:443 everything is correct and I see the GET page.

    If I go to https://myip I don't get the page.

    I suspect this is something more at the site of the webserver and trying to redirect HTTPS to another ports as 443.

     

    Kind regards,

    Thomas

  • this may be because of the way the port 3000 is configured and is unable to properly redirect the port correctly. I am sure I have seen this error on the community, but am unable to find it.

    I am presuming you have tried this as a direct port to port (rather that port redirection)?

    Are you able to put this behind the WAF?

    that would effectively get the UTM to request the page and would display it properly, although there may be other reasons why this is not possible.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Hallo Thomas and welcome to the UTM Community!

    I'm confused by the fact that your NAT rule is in position 66, but the Firewall Live Log shows that the traffic is handled by NAT rule #1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Normally the NAT rule was on position 66 but for testing purposes I did put it on the first line.

    Just to be sure there were no other rules active.

    So if I go to HTTPS://MYIP I clearly see this in the log files with the correct NAT rule.

  • First of all, port translation is not necessary.   You can reference an https (or http) site with a non-standard port using colon as the qualifier in your web request, for example:   https:example.com:30000/

    Second, you appear to be redirecting port 443 on UTM's primary (or only) public IP address.   This port is normally reserved for User Portal, so at minimum you need to move User Portal to another port before your DNAT will work, although I suspect it will not work at all.

    Thirdly, DNAT provides no security, which is a problem because the bad guys are scanning your system for vulnerabilities.   You propose taking a port that they might overlook (30000), and translating it to a port that they will definitely examine (443).   This is crazy, unless you are a security researcher who is intentionally creating a honeypot.

    Instead

    • Use WAF with a login page and 2-factor authentication.   
      or   
    • Use SSL VPN with 2-factor authentication, then reference the web sites within the VPN session.   

    Either way, you need 2-factor authentication to keep the bad guys out of your network.   The bad guys are also very good at password guessing attacks, and the Internet already has too may zombie botnet PCs.

    If you have a single public IP address, WAF allows you to configure multiple sites using separate target ports.   If you have more than one IP, so that one can be dedicated to WAF, you can take advantage of its support for SNI, which allows you to overlay multiple host names on a single IP+Port, typically port 443.

  • hi. ok. found the problem. the interface i was reidirecting for was in the [off] position.

     

    once i turned it on, the redirection worked.

     

    I'll figure out the waf later.

     

    my passwords are 14 digit long though. brute force or dictionary is pointless (though getting key logged would be an issue).

  • Let me belabor the discussion a little with some principles, a least for the benefit of other readers.

    Strong passwords are good, but password guessing is not the only type of attack.   The Intrusion Protection System is a database of rules for detecting 20,000 attacks based on malformed packets.   A purpose-built system like UTM is much easier to harden than a Windows PC.  "Internet of Things" devices like garage doors, security cameras, and washing machines are even less likely to have proper hardening.   You want UTM to be the only thing seen by devices on the Internet, because then you only need to worry about the hardening of one device.

    Being invisible is even better than being hardened.   Enable inbound Country Blocking for any country that does not have a compelling need for initiating a connection to your device.   The bad guys have bot devices in every country, but everything that reduces your attack surface will improve your security.,

Reply
  • Let me belabor the discussion a little with some principles, a least for the benefit of other readers.

    Strong passwords are good, but password guessing is not the only type of attack.   The Intrusion Protection System is a database of rules for detecting 20,000 attacks based on malformed packets.   A purpose-built system like UTM is much easier to harden than a Windows PC.  "Internet of Things" devices like garage doors, security cameras, and washing machines are even less likely to have proper hardening.   You want UTM to be the only thing seen by devices on the Internet, because then you only need to worry about the hardening of one device.

    Being invisible is even better than being hardened.   Enable inbound Country Blocking for any country that does not have a compelling need for initiating a connection to your device.   The bad guys have bot devices in every country, but everything that reduces your attack surface will improve your security.,

Children
No Data