This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default behavior - allow all or block all?

I have probably the most basic firewall question:

I have 10 interfaces (private subnets) on my UTM. Let's call then 'Internal Network A', 'Internal Network B', Internal Network C', etc.

And I have 1 Internet interface.

 

In UTM there is a built-in object named "Internet IPv4". As the name implies it seems logical that this object means "access to the Internet"

 

I create an SNAT rule which allows everything on 'Internal Network A' to be able to access the Internet, over Any port.

Rule works, and users on that internal network can get to the Internet.

But then I discover that Internal Network A also now has access to Internal Network B. Huh? Why is that? OK, so I create a rule that explicitly DENIES access to Int Network B from Int Network A.  That doesn't work. Users on A can still access stuff on B.

Turns out, when I created the SNAT rule it also created an automatic firewall rule...
   Source: Internal Network A
   Services: Any
   Destinations: Internet IPv4

Which still seems fine. However it appears "Internet IPv4" really means "the Internet plus all other networks".

 

Is there an object in UTM that really does mean 'Internet Only" that I should have used in my SNAT rule (and consequently in the automatic firewall rule)?

If not then the only option is to:

1. Delete the automatic firewall rule

2. Create a new rule that explicitly blocks traffic from Internal Network A to all other Internal networks

3. Followed by a rule that allows full access from Internal Network A to Internet v4



This thread was automatically locked due to age.
Parents
  • Hello ecar13,

    Thank you for reaching out to the community.

    The Internet IPv4 bounds itself to the WAN interface only

    When you say users are able to access now to Network B from Network A, you mean they can Ping? 

    Also is there any reason you create SNAT rule, instead of only using the Masquerading option?

    If you haven't tried with masquerading please try and let me know if this changes the behavior. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel.

    From a computer on Internal Network A, I can ping a device in Int Network B, and I can access a website of a device on Int Network B by entering it's private IP address into my web browser on a computer in Priv Network A. (The device is not public facing; it only has an internal IP)

    In this scenario what is the difference between the SNAT rule and a Masquerading rule?

  •    so I am still able to access Internal Network B from Internal Network A.

    Per your advice: I disabled my SNAT rule which gave my Internal Network A access to the Internet. Disabling the SNAT rule also (automatically) removed the auto-created firewall rule.

    Disabling the SNAT rule killed Internet access (as expected) but I am still able to ping and browse to a device on Internal Network B.

    So I suppose this verifies (and as  already knew as well as you) that the SNAT rule is/was not the culprit.

    Nevertheless, I left the SNAT rule disabled and created a Masquerade rule and then created a Firewall rule. 

    Now Internal Network A has Internet Access again.

     

    At this point, from my laptop which is only connected to Internal Network A I can access a website on Internal Network B.

    Just spent an hour on a remote support session with another Sophos tech but no solution yet.  :-(

     

  • Hello ecar13,

    May know the Case ID created for your case.

    regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello ecar13,

    I have left a note in the case.

    But have you tried following this KB (https://community.sophos.com/kb/en-us/128105)

    So once you enable the Proxy, the UTM will intercept that request and pass it down, so the Firewall rule will not block the request, you would need to create a TAG of the IPs you don't want to be accessed for that subnet.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks Emmanuel,

    The KB shows a quick and easy solution if other issues are already addressed.

    My document takes a different approach and specifies more details about firewall rules, masquerading, DNS, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  and  thanks for all your help with this so far. I am reading through Bob's document and also the KB article mentioned above, but ... how is what I am trying to do, different from the way every other interface works on my firewall?  Meaning, let's say I have a brand new UTM appliance and I create 2 internal interfaces. Isn't the DEFAULT behavior to BLOCK ALL TRAFFIC between these 2 interfaces (subnets)? Why is my UTM allowing traffic from Internal Network A to Internal Network B?

  • Hi ecar13,

    1) pings are allowed automatically anywhere when "Gateway forwards pings" in Network Protection -> Firewall -> ICMP is enabled 

    2) Web access is automatically allowed anywhere when the "Web protection" is enabled, in transparent mode and the source network is in "allowed Networks" ...

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Josef gave you the right answer to your last question.  For a broader understanding, study #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data