Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 16385 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are logged invalid packets allowed or rejected?

Rock Road

I am having trouble with connection of Withings Wifi Scale to internet. Everything worked fine until I have replaced router with UTM 9. For some reason it stopped working. 

My setup is simple. I have only one uplink, everything is on simple NAT, Transparent Web filtering was on.

I've tried to disable everything I could, turned off all IPS, ATP, disabled Web Filtering, and just in case added ip of Wifi scale to exception list everywhere, and allow Any - Any rule as top, to rule out everything, and damn thing won't work. Only thing that work is that WiFi scale gets IP from DHCP, get DNS queries, and send equests to Withings server.

Here is the only thing I have noticed in Firewall log:

/var/log/packetfilter.log:2017:03:25-12:37:17 utm ulogd[6952]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="192.168.1.85" dstip="89.30.121.150" proto="6" length="44" tos="0x00" prec="0x00" ttl="255" srcport="49154" dstport="443" tcpflags="SYN" info="nf_ct_tcp: invalid packet ignored in state ESTABLISHED "

My understanding is that this packet is logged, and something is wrong with it. So I guess it didn't passed through. Is there way that I can allow him to pass through, just to see what will happen? Maybe Wifi Scale works with those invalid packets :) 

fwrule="0" is default rule, and I have no idea how to edit and allow this? My new Any - Any rule is #1, so this one still precedes it.

Any ideas?



This thread was automatically locked due to age.
  • 0

    Here is what I found in tcpdump:

    18:10:28.899478 IP withings.49154 > 89.30.121.150.https: Flags [P.], seq 3242:3823, ack 3649, win 6523, length 581
    18:10:58.946484 IP 89.30.121.150 > withings: ICMP ip reassembly time exceeded, length 556
    18:11:03.955797 ARP, Request who-has withings tell utm, length 28
    18:11:03.971558 ARP, Reply withings is-at 00:24:e4:12:af:c6 (oui Unknown), length 46

    and it loops endlessly...

    withings is the same 192.168.1.85 ip as above

  • 0 in reply to Rock Road

    Rule 0 is a little strange because internal rules even at the top of the tree have a 600x number.

    You will need the following rule to allow a basic internet connection

    internal network -> any protocol (port) -> any (which is a generic term for the anybody outside of your UTM) -> allow -> log

    MASQ internal network ->external interface.

    With that rule you should see all traffic logged good bad or indifferent. If packets are dropped it usually means there is no identifiable connection the router (UTM) to associate them to.

    This can be caused by different device responding to your original request which means you will need more complex rules and NAT setups.

     

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Here are rules I have. I thought that with these rules I should allow all traffic from Wifi Scale (withings) to Withings server (withings-srv)

    I have connected Wifi Scale to 4G router, and it works fine... so there is issue with UTM. I have no idea how to disable any protection to those ip addresses...

  • 0 in reply to Rock Road

    Is the server internal? If it is you will dnat rules to allow for incoming traffic.

    You are comparing a toy router with a seious firewall security device. By default all traffic is blocked and you need to make rules to allow the traffic to flow.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Rock Road

    Hi Rock Road,

    I've same issues at some of my customers and have created a support case. Sophos said, it's a bug. Please open also a support case. My Case ID is 7061244.

    Disable "Block invalid packets" under Network Protection / Firewall / Advanced / Protocol Handling. That's the only workaround at the moment.

    regards

    mod

  • 0 in reply to mod2402

    I don't even have them enabled:

    I am just logging them. One more reason to be confused, as I am not sure are logged invalid packets allowed and logged, or blocked and logged. 

  • 0 in reply to Rock Road

    With this  configuration the packets not blocked

Unfiltered HTML