Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Hello from Germany,

I am trying to wrap my brain aroud the following situation:

  1. I have a rule that allows access to an NTP server to anybody  (# 61, rule says ACCEPT, see below)
  2. I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below)
  3. I have placde the IP-Camera rule below the TIMESERVICES rule
  4. I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443.

Now, the "out interface " shows up empty - of course this is not covered by rule # 62.   What is really happening, or better, what is not happening (like traffic going to China)

With beste regards

Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group



Added TAGs
[edited by: emmosophos at 10:29 PM (GMT -7) on 12 Oct 2021]
  • Hi,

    your camera rule is allowing all traffic out, you need to specify which services the camera is allowed to use.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hm, I think the camera rule says "drop"  and "any service"

    With best regards

    Volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Sorry, I was reading without my glasses and missed that bit. If dropping traffic you want to not log it.

    the out interface being blank also means using the proxy.

    are you using linked Nat rules? You can delete that blank Nat rule.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Reading without my glasses?  I haven‘t been able to do this for a very loooong time Slight smile

    For the moment I keep logging active for most rules just to see what is being done on the firewall.  Once I see I can trust the inner workings of the firewall, I may reconsider.

    If the Firewall passes the data to the proxy, I would consider that a bug.  Which part of the „drop all packets“ did the FW not understand?

    Not knowing what a „linked NAT“ is I cannot really answer your question. The configuration on the FW was created by migrating the settings from my Cyberoam device, and still trying to find out about the Sophos Firewall XG Parameters.

    thanks for your response

    volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Which Firmware do you use? 

    __________________________________________________________________________________________________________________

  • The Firmaware is Sophos Firewall XG home SFVH (SFOS 18.5.1 MR-1-Build326)  running on a Protectli FW4B

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Thought this behavior was fixed with NC-64820 but looks like it only covers inbound traffic. See: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0

    Awarrenhttp proxy blocks inbound connections on port 443.

    What this generally speaking means: If you configure a block role on SFOS, you see the yellow indication of Proxy. This means, the traffic for HTTP/S is dropped by the proxy instead of firewall. The Proxy will drop it stateless and gives a block page to the user. 

    This was the case for inbound traffic, therefore it was fixed for inbound. But outbound seems to be still the case. I assume because of user interaction (Blocking is more radical then to deny the traffic in proxy, because of user interaction in browser). 

    Check the web proxy log. 

    __________________________________________________________________________________________________________________

  • Thank you!   This does explain the symptoms I‘ve been seeing, and I just confirmed tHat there are matching entries in the wegfeiltet ( I wonder what Autocorrect was thinking here, thIs should have been „webfilter“) log.  Anyhow, I still think the status „ALLOWED“ in the firewall log is misleading or even an error. Slight smile

    With best regards from Germany

    Volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Hello Volker,

    Adding to what has been mentioned in this post, if you do a conntrack on the console of the XG for this connection what does conntrack shows?

    What firmware version are you using?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Good morning Emmanuel,,

    I did conntrack -L -s 192.168.1.247 -d

    and got


     SFVH_SO01_SFOS 18.5.1 MR-1-Build326# conntrack -L -s 192.168.1.247 -d 47.112.127 .239                                                                             proto=tcp      proto-no=6 timeout=5 state=CLOSE_WAIT orig-src=192.168.1.247 orig -dst=47.112.127.239 orig-sport=35103 orig-dport=443 packets=4 bytes=216 reply-sr c=192.168.1.1 reply-dst=192.168.1.247 reply-sport=3128 reply-dport=35103 packets =3 bytes=132 [ASSURED] mark=0x8001 use=3 id=4304640 masterid=0 devin=Port1 devou t= nseid=0 ips=0 sslvpnid=0 webfltid=2 appfltid=0 icapid=0 policytype=1 fwid=62  natid=2 fw_action=0 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload= 0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=0 hb_src=0 hb_dst=0 f lags0=0x80020000208008 flags1=0x40040000048 flagvalues=3,15,21,41,55,67,70,94,10 6 catid=84 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:e0:6 7:2a:88:d8 src_mac=00:62:6e:58:85:94 startstamp=1634092152 microflow[0]=INVALID  microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=6 tls ruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=12 1 current_state[1]=121 vlan_id=0 inmark=0x0 brinindex=0 sessionid=484 sessionidr ev=47623 session_update_rev=0 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 p brid_dir1=0 conn_fp_id=NOT_OFFLOADED 


    The firmware is SFVH (SFOS 18.5.1 MR-1-Build326)   

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)



    error correction
    [bearbeitet von: Volker Bandke um 2:52 AM (GMT -7) am 13 Oct 2021]