Automatic firewall rules Vs Manual firewall rules

Hi All

I am trying to get a better understanding of the differences between the 2.  I am using UTM 9 on SG125

I have multiple IPSEC sites (Grouped as VPN-0-All Branches) all connecting to Head Office (VPN-Z-LAN).

So I do not enable automatic firewall rules but set to manual rules as follows Key being 1&2 (Allow between Branch & HO Any + HO & Branch Any)

My application (using single port for connection) connects fine under above but I cannot access anything else such as web access to remote router or remote desktop via IP address

If I enable rule 4 (Web Surfing) I can access remote router but still cannot remote desktop to a machine at branch using IP address i.e.

 

However if I let UTM create an auto rule all works fine (even if I have all others disabled) e.g.  In this example have allowed creation of auto firewall rule between Branch B and Z Any

In this case all works fine. So what's the difference? Huh?

Is it the case the in manually created rule "Any" is not the same thing as "Any" on the auto created rule or something else?

 

Any insight would be appreciated

  • Hi snooty,

    please check your "all branches" group-object and the member objects.

     

    - is VPN-B1-LAN member of VPN-0-All Branches? (if you don't use the exact same objects, please double check IP definition for typos)

    - is there an "Interface" Configured in the Hosts / Network-Objects  Advanced section?

     

    if the above is given there shouldn't be any difference betwen automatic and your rules.

     

    Enabling rule 4 allows Webmanagement of the router (maybe the better destination would be "internet v4 / internet v6" which refers to "any destination reacheable via an interface which has a default gateway") if you intended to allow Internet-Websurfing not ANY Websurfing ;)

     

    yours Lukas

  • I have not stared at your examples long enough to understand your configuration, but I do understand the theory, which is enough to answer your question:

    • The VPN Profile defines what packets the remote device will send into the tunnel.   Anything not included in the VPN profile is handled locally by the remote device.
    • All of the normal UTM proxy logic is applied to the packet when it arrives at UTM.   Depending on your enabled proxies and Allowed Networks list, the packet may be handled by Web Filtering, FTP Proxy, POP3 proxy, Web Protection, or Firewall Rules.   Assuming that you have not enabled the VPN source addresses for any of the proxy Allowed Networks list, the packet will be processed by Firewall Rules.
    • The Default firewall rule is to DROP.   So for any traffic to be accepted from the tunnel, you need to give it permission.
    • If you choose Automatic Firewall rules, UTM creates an Firewall ALLOW rule that matches the VPN Profile (all allowed addresses, all ports).   In most situations, this is too permissive.
    • If you choose Manual Firewall rules, then UTM relies on you to define what specific ports on which specific addresses will be allowed.
    • Obviously, the Manual Firewall rules can only allow traffic that arrives at UTM, so it can only allow traffic for the addresses included in the VPN profile.

    You said that with Automatic Rules off, your traffic is being blocked.   This means that your manual rules are not allowing all of the traffic that you want, or that the rule is in the wrong position, so a BLOCK rule is being applied before a desired ALLOW rule can be detected.   Rules are processed from low number to high.

  • In reply to lna:

    Hi Ina

    Thank you for your quick reply

    - is VPN-B1-LAN member of VPN-0-All Branches? (if you don't use the exact same objects, please double check IP definition for typos)

    Yes it is - To double check I also tried using VPN-B1-LAN with same results.

    In a nutshell and I have tried the following simple setup:

    VPN-B1-LAN ---Any----> VPN-Z-LAN /Allow (Manual Rule)
    VPN-B1-LAN <---Any---- VPN-Z-LAN /Allow (Manual Rule)
    Any ----Any----> Any /Drop

    Allows my application to communicate but not other applications like web access to remote router / remote desktop

    Whereas:

    VPN-B1-LAN ---Any----> VPN-Z-LAN /Allow (Automatically Created Rule)
    VPN-B1-LAN <---Any---- VPN-Z-LAN /Allow (Automatically Created Rule)
    Any ----Any----> Any /Drop

    This works fine for everything including my application / web access to remote router / remote desktop etc...

    I cannot see any difference between the two the manual rule and the automatic rule.
    I change nothing else in the system but when I delete the manual rules and select to create automatic rules, it creates the above two and all works well.


    >> is there an "Interface" Configured in the Hosts / Network-Objects Advanced section?

    Am a little confused here - Where should I be looking for this?
    I have two interfaces Internal / External

    VPN-B1-LAN is bound to External
    VPN-Z-Lan is bound to Internal

     

    >>Enabling rule 4 allows Webmanagement of the router (maybe the better destination would be "internet v4 / internet v6" which refers to "any destination reacheable via an interface ??>>which has a default gateway") if you intended to allow Internet-Websurfing not ANY Websurfing ;)

    I do not need any "internet" access on this network - it simply exists for point to point communication between Head Office and Branches with IPSEC VPN.

    The required traffic between the VPN is only a few ports for our applications + remote desktop and access to the remote site routers for management purposes.

    The automatic rules work fine but allow all traffic between a Branch and Head Office - I was looking to set to manual and once I had better understood the finer points, restrict traffic to only those ports needed.

     

    Thank you.

  • In reply to snooty:

    Do you get any insight from doing #1 in Rulz?  Look at #2 to get a better understanding of priorities in traffic handling.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Thank you as always for your insight - The Rulz link was very helpful. 

    I can spot the issue but not sure why it is happening :)

    So my rules are basically as follows (All manual)

    #1  Branch ---Any---->HeadOffice  /Allow

    #2 HeadOffice --- Any--->Branch  / Allow

    #3 Any ---Any--> /Drop

    So my first rule of    Branch ---Any---->HeadOffice  /Allow  (Manual)  works fine from Branch Side can access all as required

     

    My #2 rule  is the one causing an issue From HeadOffice side a machine cannot access a service at branch e.g access router / ping a remote machine / router

    If I change the rule  #2 to #2 HeadOffice --- Any--->Any  / Allow

    All starts to work fine.

     

    In terms of network definitions HeadOffice would be 192.168.150.0/24    Branch would be 192.168.187.0/24

    Rule #1 works fine - Branch can access all services at Head Office

    Rule #2 does not work as HeadOffice --- Any--->Branch  / Allow  but does work as as    HeadOfficeOffice --- Any--->Any  / Allow

     

    But the thing that freaks me out is when it creates the same thing via auto rules it works fine

    i.e. auto rules create exactly the same as my #1 #2 and work fine.

    So I am wondering if auto configured rules also do something else?

     

    Thanks

     

     

     

     

     

     

     

     

     

  • In reply to snooty:

    Could it be that your branch network definition is bound to an interface (see Rule 3 from Rulz)?

  • In reply to snooty:

    You will want to delete your 'Any -> Any -> Any : Drop' rule.  Even if you log those drops, there's less information in the log that there is with a default drop.

    Cheers - Bob

  • In reply to BAlfson:

    Hi All,

    Thank you so much for your guidance and reference to the rulz - I understand a lot better now (Bob: the log file started to make more sense when I disabled the Any-Any-Any:Drop rule)!

    Now I better understand what is happening and as  pointed out the issue is Rule 3 from Rulz

    Now to the hard part of understanding the logic!

     

    I had previously marked the branch networks as bound to External Interface and Head Office network as bound to Internal Interface so my Firewall was actually like this when I manually created the firewall rules:

    #1   Branch (Bound2ExternalInterface) ---> Any --> HeadOffice (Bound2InternalInterface)  / Allow

    # 2  HeadOffice (Bound2InternalInterface) -->Any -->Branch (Bound2ExternalInterface)  / Allow

    #3   Any-->Any-->Any /Deny

     

    In the above scenario - Branch can access HeadOffice services in full  ; However HeadOffice cannot access Branch services

    So if I try to access branch router from Head Office I get "Default DROP TCP  192.168.150.39:51022 → 192.168.190.254 :80"  [.150 being Head Office .190 being Branch]

    As soon as change Branch as (Interface Any) -- HeadOffice can fully access Branch services so changing to the following works:

    #1   Branch (Interface Any) ---> Any --> HeadOffice (Bound2InternalInterface)  / Allow

    #2   HeadOffice (Bound2InternalInterface) -->Any -->Branch (Interface Any)  / Allow

    #3   Any-->Any-->Any /Deny

     

    What confused me (and led me round the garden path) is that when I do use the same thing via automatic firewall rules I did not encounter any issues

    So when automatic rules showed   #1   Branch ---> Any --> HeadOffice  / Allow    +  # 2  HeadOffice -->Any -->Branch   / Allow

    Branch was still Bound2ExternalInterface   &  HeadOffice was still Bound2InternalInterface

    I can only assume that for automatic firewall rules it ignores any such binding regardless of what has been set - Am I correct in this line of thought?

     

    So as a final understanding my manual rules should be:

    #1   Branch (Interface Any) ---> Any --> HeadOffice (Interface Any) / Allow

    #2   HeadOffice (Interface Any) -->Any -->Branch (Interface Any)  / Allow

    #3   Any-->Any-->Any /Deny

     

    Is this correct i.e As per rule #3 network definitions should never be bound to an interface?

     

    Taking note of your comment Bob with regard to #3

    Should this rule remain? (assuming I want no traffic other than between HeadOffice and Branch)

    I had alway thought it good practice to set last rule as deny all else (even though I assume this is implicit).

     

    Thank you for all very much your help.

     

     

     

     

     

     

     

  • In reply to snooty:

    Not sure why the auto fw rules did work, but do know that binding to an interface can give a lot of headache and unforeseen trouble (as you have noticed too).

    In UTM all traffic that isn't allowed is automatically blocked, adding a block rule at the end is only usefull if you don't want to log this traffic (you can then disable logging on this rule). However I find this traffic quite informational from time to time, but I did for example put a block rule at the top of my rules where I block telnet and ssh access from the internet and don't log it, otherwise I see too much of these block rules in the log.

    Your final understanding about all definitions being interface any is correct.

    One thing that I have found which is a plus for "automatic fw rules" is that those rules are only active when the underlying (either DNAT or VPN) is also active. If you deactivate those, the auto fw rules are also automatically deactivated. However in site-to-site VPN an auto fw rule will allow any traffic from A to B and vice versa where in manual rules you can be much more granular and only allow services that need to be allowed.

  • In reply to snooty:

    Interesting, I don't know why the behavior was different with automatic rules.

    The underlying firewall engine is iptables.  Iptables considers traffic to be in INPUT, FORWARD and OUTPUT chains.  Using a Network/Host definition bound to an interface causes WebAdmin to create an iptables firewall rule for the INPUT or OUTPUT chain, instead of the FORWARD chain which is what you wanted.

    A firewall will block everything not explicitly allowed, so #3 does nothing for you other than limit the information in the Firewall log file.  Look again at #2 in Rulz and you will be reminded that WebAdmin creates many (invisible except at the command line) Allow rules when things like Web Filtering are configured.

    Cheers - Bob

  • In reply to apijnappels:

    I can only assume auto fw rules ignore the interface bindings - From my tests this seems to be the case.

    I simply did not understand the implications of binding to an interface - Not sure why but it just seemed like common sense to me!

    I had always used auto fw rules but as as my traffic is all site to site vpn with very limited services required - it would make sense to move to manual rules and restrict to only those service.

    However I will keep you comment in mind regarding auto rules for non site to site vpn should I require them.

    Thank you for your help. Life makes sense again!

  • In reply to BAlfson:

    I have done some initial reading and now understand the implications if Input/Output vs Forward a lot better.

    From what I can see there is certainly a difference with automatic rules and they ignore interface bindings to create proper forward rules.

    I take your point on #3 (although I suspect it will be a hard habit to break!) -  I will look at the Rulz guide in more detail.

    Thank you as always for your guidance, much appreciated.