This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted packets

Sorry for my English.

I have a problem on my Utm 9.502-4 Pattern 130909 Home Edition.
The problem started just after installation before any configuration.
I have a network composed by a DMZ (Sophos internal network) and my internal network.

All computer are virtual machines.

The firewall between Internet and DMZ is Sophos
The firewall between DMZ and internal network is Microsoft TMG

The problem is: Tmg Firewall denied connection to packet from external IP that should have blocked by Sophos.

If I disable the internet connection the packets dosn't arrive.

On Sophos there is a static route to internal network.
I have tested another IP in DMZ and it doesn't receive any unwanted packet.
Only the gateway to internal network seems to receive unwanted packets.

Below:

A list of some IP sending unwanted packet.
I have tested, someone has not bad reputation.
2.17.205.2
2.19.70.112
23.21.45.59
43.137.167.137
52.222.171.187
54.171.245.137
54.192.27.68
64.233.167.155
74.125.206.157
89.163.159.115
93.184.221.200
130.211.5.178
178.250.0.71
185.33.223.202
192.229.223.25
199.96.57.6
213.215.153.102
216.52.1.12
216.58.205.33
216.58.205.34
216.58.205.130
216.58.205.162
216.58.205.166
217.12.15.83
The list from TMG showing ports.
The ports have always an high number.

I have tried:

A firewall rule.
A black hole route.

Sorry for my English.

The firewall between Internet and DMZ is Sophos
The firewall between DMZ and internal network is Microsoft TMG

The problem is: Tmg Firewall denied connection to packet from external IP that should have blocked by Sophos.

Below:

A list of some IP sending unwanted packet.
I have tested, someone has not bad reputation.
2.17.205.2
2.19.70.112
23.21.45.59
43.137.167.137
52.222.171.187
54.171.245.137
54.192.27.68
64.233.167.155
74.125.206.157
89.163.159.115
93.184.221.200
130.211.5.178
178.250.0.71
185.33.223.202
192.229.223.25
199.96.57.6
213.215.153.102
216.52.1.12
216.58.205.33
216.58.205.34
216.58.205.130
216.58.205.162
216.58.205.166
217.12.15.83
The list from TMG showing ports.
The ports have always an high number.

I have tried:

A firewall rule.
A blackhole route.

Notwithstanding my attempts the packets continue to arrive and are dropped by TMG.

Any Idea ?

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago
Ciao Fabio and welcome to the UTM Community!

First, several comments:

The UTM can do everything you're now doing with the TMG, so you could simplify your life by eliminating the TMG.

If you're using ESXi, install only VMXNET3 virtual NICs for the UTM instance.

Hosting your own name server that is open to the world is not something I would recommend.

If you are double NAT'ing the devices on the LAN behind your TMG, this will cause problems, especially with IPsec VPNs.

The Blackhole static route is a new option, and I don't think it's what you want here. See #2 in Rulz to understand why you want a DNAT for blackholing this traffic instead of the static route or a firewall rule.

Cheers - Bob
PS Your English is much better than my Italian!
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Fabio Marziani over 6 years ago in reply to BAlfson

1. The UTM can do everything you're now doing with the TMG, so you could simplify your life by eliminating the TMG.
As shown in the network diagram TMG is a second defense line between DMZ and Internal network.
2. If you're using ESXi, install only VMXNET3 virtual NICs for the UTM instance.
I use Hyper-V; is is included in MSDN --> No cost
3. Hosting your own name server that is open to the world is not something I would recommend.
It is a test environment, I want to be able to test many solution.
Anyway the DNS responds only for my zones and doesn't forward any query and no root hints also.
4. If you are double NAT'ing the devices on the LAN behind your TMG, this will cause problems, especially with IPsec VPNs.
There is a route relationship between DMZ (Sophos internal network) and TMG.

5. The Blackhole static route is a new option ...
Added in desperation trying to block packets.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Fabio Marziani over 6 years ago in reply to BAlfson

1. The UTM can do everything you're now doing with the TMG, so you could simplify your life by eliminating the TMG.
As shown in the network diagram TMG is a second defense line between DMZ and Internal network.
2. If you're using ESXi, install only VMXNET3 virtual NICs for the UTM instance.
I use Hyper-V; is is included in MSDN --> No cost
3. Hosting your own name server that is open to the world is not something I would recommend.
It is a test environment, I want to be able to test many solution.
Anyway the DNS responds only for my zones and doesn't forward any query and no root hints also.
4. If you are double NAT'ing the devices on the LAN behind your TMG, this will cause problems, especially with IPsec VPNs.
There is a route relationship between DMZ (Sophos internal network) and TMG.

5. The Blackhole static route is a new option ...
Added in desperation trying to block packets.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 6 years ago in reply to Fabio Marziani

Fabio,

1. Yes, your diagram confirms the veracity of my observation. You'd be better off with a DMZ and an Internal NIC in the UTM.

2. My point was only that similar problems occur when not using VMXNET3 in EXSi-based setups.

3. Ah, that makes sense!

4. Then I don't understand your masquerading rule.

5. Again, use a blackhole-DNAT instead of the blackhole static route meant to be used with OSPF.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel