This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Hello from Germany,

I am trying to wrap my brain aroud the following situation:

  1. I have a rule that allows access to an NTP server to anybody  (# 61, rule says ACCEPT, see below)
  2. I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below)
  3. I have placde the IP-Camera rule below the TIMESERVICES rule
  4. I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443.

Now, the "out interface " shows up empty - of course this is not covered by rule # 62.   What is really happening, or better, what is not happening (like traffic going to China)

With beste regards

Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group



This thread was automatically locked due to age.
Parents
  • Hi,

    your camera rule is allowing all traffic out, you need to specify which services the camera is allowed to use.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hm, I think the camera rule says "drop"  and "any service"

    With best regards

    Volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Sorry, I was reading without my glasses and missed that bit. If dropping traffic you want to not log it.

    the out interface being blank also means using the proxy.

    are you using linked Nat rules? You can delete that blank Nat rule.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Reading without my glasses?  I haven‘t been able to do this for a very loooong time Slight smile

    For the moment I keep logging active for most rules just to see what is being done on the firewall.  Once I see I can trust the inner workings of the firewall, I may reconsider.

    If the Firewall passes the data to the proxy, I would consider that a bug.  Which part of the „drop all packets“ did the FW not understand?

    Not knowing what a „linked NAT“ is I cannot really answer your question. The configuration on the FW was created by migrating the settings from my Cyberoam device, and still trying to find out about the Sophos Firewall XG Parameters.

    thanks for your response

    volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

Reply
  • Reading without my glasses?  I haven‘t been able to do this for a very loooong time Slight smile

    For the moment I keep logging active for most rules just to see what is being done on the firewall.  Once I see I can trust the inner workings of the firewall, I may reconsider.

    If the Firewall passes the data to the proxy, I would consider that a bug.  Which part of the „drop all packets“ did the FW not understand?

    Not knowing what a „linked NAT“ is I cannot really answer your question. The configuration on the FW was created by migrating the settings from my Cyberoam device, and still trying to find out about the Sophos Firewall XG Parameters.

    thanks for your response

    volker

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

Children
No Data