Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 2323 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT created Automatic Firewall Rule is missing services when viewed in Edit

SY Lerner

After creating a DNAT rule with Automatic Firewall Rule selected, examining the automatically created firewall rule (via Edit) shows the Services section of the firewall rule blank.

Is this a UI error, or is the rule in fact not limited to the service that was specified when creating the DNAT rule?

Thanks for any assistance you are able to provide!

 

 

BTW - "External SSH" in the DNAT rule is a non-default internet facing port used for incoming SSH sessions.



This thread was automatically locked due to age.
Parents
  • 0

    Hi SY and welcome to the UTM Community!

    The first thing I would do is try a different browser or clear your browser cache.

    If the result is still the same, we can determine whether or not it's a UI glitch by checking the configuration data base.  I'm guessing at the name of the NAT object, but it should be right.  As root at the command line, paste the following command:

    cc get_object_by_name packetfilter nat 'External SSH from Any to External (WAN) (Address)'|grep auto_pf_in

    That should give you the REF_ of the automatic firewall rule.  I'll guess it's REF_PacPacExterFromAny, but you'll know what to change in the following to see the REF_ of the service in the firewall rule object:

    cc get_object  'REF_PacPacExterFromAny'|grep REF_SerTcp

    I'll guess that you see REF_SerTcpExternaSsh, so if it's not empty, this is a UI issue and you're the first to report it - that's why I suspect your browser cache.

    Please report your results!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    If it's a UI bug, it has nothing to do with browser cache.  I tried accessing the WebAdmin page using both Firefox and Chrome (both under Linux), and in both cases the service area is blank.

    Taking a shot in the dark (I'm running the software in a VM with snapshots that I can roll back if I break anything) I did a little digging around and tried to dig out the information by using cc interactively.  Here's what I did, which may or may not be what was needed.

    cc
    OBJS
    packetfilter
    nat
    <tab>

    This displays: REF_PacNatExterSshFrom[External SSH from Any to External (WAN) (Address),packetfilter,nat]

    Hitting enter at this point displayed several lines.  The one with auto_pf_in contains REF_PacPac16553FromAny

    Exiting out of cc and doing a cc get_object 'REF_PacPac16553FromAny' includes the following partial result:

    'services' => [
                    'REF_SerTcp1655352222'
                  ]

    I have no idea what these results mean and would appreciate any explanation that you can give.

    Thank you.

Reply
  • 0 in reply to BAlfson

    If it's a UI bug, it has nothing to do with browser cache.  I tried accessing the WebAdmin page using both Firefox and Chrome (both under Linux), and in both cases the service area is blank.

    Taking a shot in the dark (I'm running the software in a VM with snapshots that I can roll back if I break anything) I did a little digging around and tried to dig out the information by using cc interactively.  Here's what I did, which may or may not be what was needed.

    cc
    OBJS
    packetfilter
    nat
    <tab>

    This displays: REF_PacNatExterSshFrom[External SSH from Any to External (WAN) (Address),packetfilter,nat]

    Hitting enter at this point displayed several lines.  The one with auto_pf_in contains REF_PacPac16553FromAny

    Exiting out of cc and doing a cc get_object 'REF_PacPac16553FromAny' includes the following partial result:

    'services' => [
                    'REF_SerTcp1655352222'
                  ]

    I have no idea what these results mean and would appreciate any explanation that you can give.

    Thank you.

Children
  • 0 in reply to SY Lerner

    That looks like your "External SSH" object's REF.  Based on that, I assume that it's TCP 1:65535->2222.

    This means that the service is in the DNAT object so there's some problem with displaying it.

    You've proven that it wasn't the browser cache, but I've not heard of this glitch like this before, so I doubt it's a bug.  I guess some of the magic blue smoke got out of your computer. ;-)

    What happens if you delete this DNAT and create a duplicate?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I deleted the old DNAT and the custom objects in use.

    I created some new objects and created a new DNAT with an automatic rule. The purpose of the DNAT is to map a non-standard external port to the SSH port on a particular PC on the internal network.

    Clicking edit for the DNAT generated automatic firewall rule shows sources and destinations populated and services blank, as was the case initially.

    I suspect that there haven't been too many people clicking edit on automatic firewall rules.

    Thanks!

  • 0 in reply to SY Lerner

    Again, guessing at the name, try

    cc get_object_by_name packetfilter packetfilter 'External SSH from Any to External (WAN)(Address)'

    The name might be 'SSH from Any to Target', but I would expect the above and for you to see the REF_ for SSH in the 'services' field.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML