Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 4 subscribers
  • Views 20707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted packets

Fabio Marziani

Sorry for my English.

I have a problem on my Utm 9.502-4 Pattern 130909 Home Edition.
The problem started just after installation before any configuration.
I have a network composed by a DMZ (Sophos internal network) and my internal network.

All computer are virtual machines.

The firewall between Internet and DMZ is Sophos
The firewall between DMZ and internal network is Microsoft TMG

The problem is: Tmg Firewall denied connection to packet from external IP that should have blocked by Sophos.

If I disable the internet connection the packets dosn't arrive.

On Sophos there is a static route to internal network.
I have tested another IP in DMZ and it doesn't receive any unwanted packet.
Only the gateway to internal network seems to receive unwanted packets.

Below:

  1. A list of some IP sending unwanted packet.
    I have tested, someone has not bad reputation.
    2.17.205.2
    2.19.70.112
    23.21.45.59
    43.137.167.137
    52.222.171.187
    54.171.245.137
    54.192.27.68
    64.233.167.155
    74.125.206.157
    89.163.159.115
    93.184.221.200
    130.211.5.178
    178.250.0.71
    185.33.223.202
    192.229.223.25
    199.96.57.6
    213.215.153.102
    216.52.1.12
    216.58.205.33
    216.58.205.34
    216.58.205.130
    216.58.205.162
    216.58.205.166
    217.12.15.83

  2. The list from TMG showing ports.
    The ports have always an high number.

I have tried:

  1. A firewall rule.
  2. A black hole route.

Sorry for my English.

I have a problem on my Utm 9.502-4 Pattern 130909 Home Edition.
The problem started just after installation before any configuration.
I have a network composed by a DMZ (Sophos internal network) and my internal network.

All computer are virtual machines.

The firewall between Internet and DMZ is Sophos
The firewall between DMZ and internal network is Microsoft TMG

The problem is: Tmg Firewall denied connection to packet from external IP that should have blocked by Sophos.

If I disable the internet connection the packets dosn't arrive.

On Sophos there is a static route to internal network.
I have tested another IP in DMZ and it doesn't receive any unwanted packet.
Only the gateway to internal network seems to receive unwanted packets.

Below:

  1. A list of some IP sending unwanted packet.
    I have tested, someone has not bad reputation.
    2.17.205.2
    2.19.70.112
    23.21.45.59
    43.137.167.137
    52.222.171.187
    54.171.245.137
    54.192.27.68
    64.233.167.155
    74.125.206.157
    89.163.159.115
    93.184.221.200
    130.211.5.178
    178.250.0.71
    185.33.223.202
    192.229.223.25
    199.96.57.6
    213.215.153.102
    216.52.1.12
    216.58.205.33
    216.58.205.34
    216.58.205.130
    216.58.205.162
    216.58.205.166
    217.12.15.83

  2. The list from TMG showing ports.
    The ports have always an high number.

I have tried:

  1. A firewall rule.
  2. A blackhole route.

Notwithstanding my attempts the packets continue to arrive and are dropped by TMG.

Any Idea ?



This thread was automatically locked due to age.
Parents
  • 0

    Can you draw us a quick picture of the setup so we can more easily understand your network.

    PS. blanking out 192.168.x.x IP's is not really necessary since they are only local addresses on you side. It's not your WAN IP-address. 192.168.0.0/16 are all RFC1918 private IP-addresses that are not in use on the internet.

    You may have additional firewall rules allowing the traffic or you may have DNAT rules that can make traffic being able to flow.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Below net and masqueranding rules

    The packets started to flow in just after installing some days ago.
    At that time I had no server configured.
    What other information about configuration do you want ?

  • 0 in reply to Fabio Marziani

    What would make things a bit more clear is a simple diagram of your network; where's tmg, sophos and the connections between them.

    Also, if you go to firewall in Sophos UTM, can you choose to display ALL rules (not just user configured rules), maybe there are rules (ie the DNAT rules for automatic firewall) that allow the traffic.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    1) No Dnat rule allow to reach the point where unwanted packets are found.

    2) no automatic firewall rule allow to reach the point where unwanted packets are found.

    3) Network Scheme


    Sorry to respond late but I have another problem with sophos: see visual studio-2017 nuget package not working

  • 0 in reply to Fabio Marziani

    Thanks for the drawing; that makes the topology clear to me.

    Could it be that the blocked traffic is actually "return-traffic" for already active transmissions from any of your hosts behind TMG? You may be able to check that using the IP-address that is blocked.

    Also if you really need to know what's going on, you could use something like wireshark in between the Sophos UTM and TMG where you can more precisely monitor exactly what traffic is flowing from where to where and wheter or not the "blocked-by-TMG" traffic is return traffic.

    You are using TMG as a 2nd line of defense, but TMG is actually EOL since somewhere 2015... Isn't it better to look for alternatives?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Could it be that the blocked traffic is actually "return-traffic" for already active transmissions from any of your hosts behind TMG? You may be able to check that using the IP-address that is blocked.


    Considering some domain involved  akamaitechnologies.com and amazonaws.co it is possible.
    If the transaction is started whitin internal network, i don't understand why is not accepted.

    Also if you really need to know what's going on, you could use something like wireshark in between the Sophos UTM and TMG where you can more precisely monitor exactly what traffic is flowing from where to where and wheter or not the "blocked-by-TMG" traffic is return traffic.
    Where you suggest to install wireshark ? On TMG server or on another server in DMZ?

    You are using TMG as a 2nd line of defense, but TMG is actually EOL since somewhere 2015... Isn't it better to look for alternatives?

    Yes, if I find one at no cost.

  • 0 in reply to Fabio Marziani

    You could wireshark using another PC where you install wireshark and then span the WAN switchport from your TMG to another port where you connect your wireshark device. Of course you could also install wireshark on TMG but I would keep it as clean as possible.

    Should it be return-traffic that is blocked, it's indeed a little strange but I don't really have an explanation for that either...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to Fabio Marziani

    You could wireshark using another PC where you install wireshark and then span the WAN switchport from your TMG to another port where you connect your wireshark device. Of course you could also install wireshark on TMG but I would keep it as clean as possible.

    Should it be return-traffic that is blocked, it's indeed a little strange but I don't really have an explanation for that either...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • 0 in reply to apijnappels

    Given the capture below my opinion is the discoveverd packets

    are out of sequence (or something similar) packets.
    In fact the capture show a conversation with external address 52.210.8.50. 


    I don't have a so deep Knowledge of TCP/IP to fully understand the capture; your opinion regarding my conclusion is welcome.

  • 0 in reply to Fabio Marziani

    I'm not sure, but it looks like your internal client is quitting connection (FIN) after determining that there's a bad certificate.

    Perhaps TMG also discovers something about a bad certificate and then blocks the connection, I can find the same portnumbers, but it all seems legitimate return-traffic which normally shouldn't be blocked...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I agree with your conclusion.
    Thanks

Unfiltered HTML