Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 26871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New interface and how to block traffic from lan

Edgar_Quintana

Hi,

 

Internal LAN is 192.168.157.0/24 and the new interface added is 192.168.158.0/24.

Our Sophos SG 125 has 192.168.157.70 ip

I´d like to block all traffic between LAN and   192.168.158.0/24 but the existing rule rejecting all traffic does not work ping, telnet and more is allowed

 

Why this situation?

 

Regards



This thread was automatically locked due to age.
Parents
  • 0

    Edgar, it sounds like you may be using the "Any" Network object instead of the "Internet" object in your firewall rules.  You shouldn't need to explicitly block traffic between the two subnets as it will be default dropped if not explicitly allowed.

    Also, pinging is regulated on the 'ICMP' tab of 'Firewall' and is not included in the "Any" service object.  I thought that the devs changed the selections 'Gateway forwards pings/traceroute' to not include ping/traceroute between all UTM interfaces, just those that go out an interface with a default gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

     

     

    Even using Internet object there is still traffic between LAN interface and the new interface. Only one masquerade rule defined new_interface->WAN

     

    What is wrong?

     

    Regards

  • 0 in reply to Edgar_Quintana

    Please insert pictures of the relevant configurations open in Edit mode.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

     

    this is the rule

     

    Any idea?

     

    Regards

  • 0 in reply to Edgar_Quintana

    Use "Internal (Network)" as the source instead of the "Internal (Address)" object.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

     

    I changed to network and  Reject but same result

     

  • 0 in reply to Edgar_Quintana

    Edgar, see #2 in Rulz and consult my comment above about pings - you can't block pings allowed on the 'ICMP' tab, but you can allow pings not allowed on the 'ICMP' tab.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Edgar_Quintana

    Edgar, see #2 in Rulz and consult my comment above about pings - you can't block pings allowed on the 'ICMP' tab, but you can allow pings not allowed on the 'ICMP' tab.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML