Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 18073 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default Deny Not Blocking Traffic Across Interfaces?

Richard Young

I'm using the software version of Sophos Home UTM on my ESXi server and have three vNICs added. The connections are my WAN/Internal (192.168.1.0/24 router on this network), Lab (10.10.0.0/24), and Lab2 (172.16.1.0/24).

If I set a firewall rule to allow an Internal machine to any service and any destination, it completely ignores the Default Drop rule for the networks on the other vNICs.

Example:

Source - Internal machine - 192.168.1.2

Service - Any

Destination - Any

If I open up remote desktop on a machine on a different subnet, say 172.16.1.2, the above rule will allow the internal machine (192.168.1.2) to connect to port 3389 on 172.16.1.2, even without an explicit firewall rule allowing inbound 3389 on 172.16.1.2. Typically, this is supposed to fall to default deny because there isn't a rule allowing it.

Just because I allow an any/any outbound rule, doesn't mean it should automatically allow any/any inbound on other vNICs.

Am I missing something here or is this just the way Sophos UTM does things? Do I need to explicitly deny inbound traffic to the other vNICs?



This thread was automatically locked due to age.
  • 0

    You have to be a bit more specific with your rules. The UTM is doing exactly what you are telling it to do.

    If you are just wanting the 192.168.1.2 to go to the internet, select Internet IPv4/6

  • 0 in reply to Louis-M

    So you're saying the outbound allow any/any rule completely ignores the Default Drop rule and inbound traffic is allowed? I'm confused about this because what it sounds like you're saying is if I create an outbound any/any rule, all Default Drop Inbound rules are completely negated.

    An outbound rule should NOT dictate what is allowed inbound.

  • 0 in reply to Richard Young

    No, rules are uni-directional and fall in order.

    1. Do you have any automatic firewall rules set as they come before manual ones?
    2. You need to check what order the rules are in as a rule above the one you are looking at, could be matched first before it hits the rule you are looking at.

  • +1 in reply to Louis-M

    'Any' on source or destination means 'Any', if you only want to allow external Connections with that entry you should use 'Internet IPv4/v6' instead as those definitions are bound to the interface(s) with a default gateway. With UTM you do not define a ruleset for each interface like you would do an Cisco ASAs for example.

    If you want to explicitly block traffic between your two internal subnets (lab networks) while using any targets you have to drop them before the any entry. 'Default Drop' does only take care of those connections where no firewall rule matches.

    Is your 'WAN' interface really a WAN interface with Masquerading or NAT or is it just a third network, but this time containing a default gateway?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to Louis-M

    No automatic firewall rules and I created them top-down fashion just like traditional firewall rules.

  • 0 in reply to kerobra_retired

    Thank you, this is what I was looking for. So the Default Deny rule does NOT drop those connections if an 'Any/Any' rule is there; and an explicit deny needs to be in-place before the 'Any/Any' if I want to block inbound to an interface before 'Any/Any'.

    I was used to traditional firewall rules (Cisco ASAs as you mentioned) where if there's an outbound 'Any/Any', there still needs to be an explicit inbound rule defined to allow the inbound connection; otherwise it would fall to implicit denial.

  • 0 in reply to Richard Young

    Hi, Richard, and welcome to the UTM Community!

    As you're discovering, the WebAdmin metaphor is unlike Cisco in many ways.  For the present discussion, you will want to consult #1 in Rulz to have a better grasp of some of the differences.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I would sum the main differences up to 2 or 3 points:

    • ASA's ACLs are bound to specific interfaces which results in separated top-down rulesets. Sophos' firewall rules are not bindable and apply in one big top-down ruleset. Only destinations or targets could be bound to a specific interface, but in most cases it isn't recommended to do so.
    • on an ASA a static cares about the inbound and the outbound traffic, on an UTM you'll allways have to create a DNAT/SNAT combination for that because otherwise the interface with default gateway will be used for outbound traffic.
    • An ASA is made responsible for more than it's own IP address with statics, on an UTM you have to configure additional addresses on the WAN interface first to make them usable.
    • ASAs PNAT is called 1:1 NAT on UTM

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Unfiltered HTML