Hello,
I've been a Sophos users for over 2 years now in a home environment and this is the first time I've hit a wall with troubleshooting.
Hopefully there are members would could help shed some light on my matter:
I'm running Sophos 9.5 in a home environment with a desktop and several VMs running locally,
from this network I am trying to access SSH services hosted external to the network on AWS and what I am finding is that the connection times out.
FIREWALL:
I have several rules configured with the bottom most rule being an allow all
Rule 8: ANY Internal NET > ANY Service > Any External IP
NAT:
ANY Internal NET > External Interface - Masquerade behind the external IP
When I attempt a remote SSH session I get the following log on my UTM:
2018:12:15-18:01:19 caton-sec ulogd[21044]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept"
fwrule="8" initf="eth0" outitf="eth1" srcmac="00:0c:29:4c:ec:77" dstmac="00:0c:29:91:1e:fb" srcip="10.1.54.239" dstip="34.247.176.255" proto="6"
length="60" tos="0x00" prec="0x00" ttl="63" srcport="49608" dstport="22" tcpflags="SYN"
but the session hangs and times out, with no log record for the return traffic, so I perform a TCPdump on the UTM CLI which shows that the remote host is responding:
18:35:00.025045 IP caton-sec.51130 > ec2-34-247-176-255.eu-west-1.compute.amazonaws.com.ssh: Flags [S], seq 1860907526, win 29200, options [mss 1460,sackOK,TS val 386374376 ecr 0,nop,wscale 7], length 0
18:35:00.047176 IP ec2-34-247-176-255.eu-west-1.compute.amazonaws.com.ssh > caton-sec.51130: Flags [S.], seq 3696467590, ack 1860907527, win 26847, options [mss 1460,sackOK,TS val 4947420 ecr 386374376,nop,wscale 7], length 0
18:35:00.047737 IP caton-sec.51130 > ec2-34-247-176-255.eu-west-1.compute.amazonaws.com.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 386374399 ecr 4947420], length 0
18:35:00.095154 IP ec2-34-247-176-255.eu-west-1.compute.amazonaws.com.ssh > caton-sec.51130: Flags [P.], seq 1:22, ack 1, win 210, options [nop,nop,TS val 4947468 ecr 386374399], length 21
I've attempted this SSH connection by logging into the UTM via SSH and running the SSH command from the UTM CLI and this works successfully, which evidences that the remote host is available and listening on port 22.
In a previous attempt earlier in the day I see this log:
2018:12:15-01:31:41 caton-sec ulogd[32740]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001"
initf="eth1" srcmac="00:01:5c:81:ac:47" dstmac="00:0c:29:91:1e:05" srcip="34.255.9.199" dstip="82.26.212.57" proto="6" length="52" tos="0x00" prec="0x00"
ttl="43" srcport="22" dstport="40977" tcpflags="ACK FIN"
And after some research I see that fwrule="60001" means there is no DNAT in place to direct the traffic (https://community.sophos.com/kb/en-us/115029)
As my understanding goes, return traffic should be allowed/NAT'd if the outgoing connection is permitted, but I'm not sure why the return traffic in this instance is being dropped and not NAT'd to the original host in the initiating connection? If this was an issue for other services then I would have no internet connection but HTTP browsing and other internet traffic is working fine, only SSH affected.
This thread was automatically locked due to age.
