Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 12110 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule id:0 : Economist (Eiu.com) site blocked

Nagu Gopalakrishnan

New to SophosX and not a network Pro. but can tinker and go deep as needed. Using it to secure my home network.

 

My sophos rules are the default rules. did not do anything specific. There is a default rule allowing all LAN to WAN traffic and hence expect, that part should work well for all. 

Tried accessing the site pages.eiu.com (Economist site). dropped pack due to the Firewall Rule iD:0 in the policy tester. Cant figure out a way of allowing this. Do i need any  other explicit rule? Wont my default rule, supposed to handle this?

 

Any help is appreciated.

 

Thanks



This thread was automatically locked due to age.
  • 0

    Some more test shows that the root cause for the problem is the pi-hole based DNS server in my setup. While Pihole does not essentially block the site. Certain sites gets blocked falling into firewall rule 0.

    Assuming there is a need a specific rule here. Trying to find that now. support appreciated.

  • 0

    Hi  

    Could you please open the developer tools of the browser and try to check the status of the URL?

    Did you apply any content filtering on the firewall rule from where the traffic has been passing?

    Please create a source IP base rule and verify without applying any policy, only MASQ and Gateway.

    Please go to Web >> General Setting >> Malware and content >> Advanced Settings >> Check the status of Pharming protection

    For firewall rule 0- https://community.sophos.com/kb/en-us/131968

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Thanks Keyur.

     

    Keyur said:


    Could you please open the developer tools of the browser and try to check the status of the URL?

    Yes the URL is not reachable. Err: Connection Refused

     



    Did you apply any content filtering on the firewall rule from where the traffic has been passing?

    No content filter applied. Regardless policy tester says webfilters not blocking, only the Firewall

     

    Please create a source IP base rule and verify without applying any policy, only MASQ and Gateway.

    Unfortunately, the impact is the same

     

    Keyur said:

    Please go to Web >> General Setting >> Malware and content >> Advanced Settings >> Check the status of Pharming protection

    For firewall rule 0- https://community.sophos.com/kb/en-us/131968

     

    I could only see firewall rule 0 triggering, when there the DNS server is pointing to my pihole (Which is doing a DNS over https internally towards cloudflared). If i give external DNS servers, there is no drop. So assuming there is an issue in 

    Pihole (Cloudflared DOH) + Sophos 

    Some rule is expected for this configuration.

     

     
  • 0 in reply to Nagu Gopalakrishnan

    Finally boiled down to the root cause.

     

    For DNS of Https (Cloudflared or equivalent to work on all sites) in pihole, This is what i did

    1. my Cloudflare based DOH was running in port 5053 in Pihole

    2. So created a new service called DNSoH and added protocal/source/dest ports for 53, 5053 and 443 (combinations and permutations of these ports) as follows

    TCP (53) / (5053), TCP (5053) / (443), TCP (5053) / (53), TCP (53) / (443), UDP (53) / (5053), UDP (5053) / (443), UDP (5053) / (53), UDP (54) / (443)

    3. That solved the problem. Most of rule:0 exception is gone

Unfiltered HTML