This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Hello from Germany,

I am trying to wrap my brain aroud the following situation:

  1. I have a rule that allows access to an NTP server to anybody  (# 61, rule says ACCEPT, see below)
  2. I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below)
  3. I have placde the IP-Camera rule below the TIMESERVICES rule
  4. I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443.

Now, the "out interface " shows up empty - of course this is not covered by rule # 62.   What is really happening, or better, what is not happening (like traffic going to China)

With beste regards

Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group



This thread was automatically locked due to age.
  • Thats the expected behavior. You see the proxy is intercepting this traffic by the port redirect to 3128. This is to give the user a block page in the end of the connection instead of just block the traffic. 

    From a user perspective, he will get a block page, not only a connection refused in browser.

    __________________________________________________________________________________________________________________

  • Yes, I understood that part.  Of course, in this particular case the behavior is less than perfect Disappointed.   These are IP-Cameras, which are used in a surveillance system.  The rules are set up in such a way, that, except for port 123 for NTP requests, they may not reach out to the WAN..  of course, they try- using HTTPS to some website living in China.  And the camera couldn‘t care less it it gets sent a „blocked“ page Slight smile

    That‘s where my alarm bell starts ringing when I see „ALLOWED“ in the firewall log.  The message is at least misleading… 

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)

  • Hello Volker,

    Thank you for the information. 

    As mentioned by Luca, this is currently expected, but I do agree that is misleading.

    Searching internally I found a case similar to yours, they’re still currently looking into it, and seeing what changes would need to be done in the architecture of the SFOS to fix this.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Good evening, Emmanuel,

    Thanks - knowing where the reefs and shallows  are allows me to circumvent them Slight smile. Not as good as no reefs at all, but a situation I can live with quite comfortably

    With best regards

    Volker

    This message was written using a smartphone, that might explain the typos and the weird words inserted by autocorrect..


    Protectli FW4B, Sophos Firewall XG Home Edition SFVH (SFOS 18.5.1 MR-1-Build326)