Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 38 subscribers
  • Views 905 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log and Drop (IPv6) firewall rule "Allowing" and "Denying"... huh?

Wayne Folta

I have a firewall rule (rule 20) which is a "log and drop" rule at the bottom of the IPv6 rules. But I'm seeing something very weird: some of the time it says "Denied" and some of the time it says "Allowed". There are no exceptions in the rule. Not only does the rule Allow or Deny differently, but the SAME MAC address can be back-to-back Allowed then Denied.

The only difference I've noticed is that when it is Allowed, the MAC address characters are all capitalized and the dest port is 443, and when it Denies they are all lower case and the dest port is 53. So: 1) it's weird that there would be two different presentations of the same MAC address, and 2) the rule is to log and drop, so what does it possibly mean to "Allow" or "Deny"? Nothing should get through.

Log example:

Ordering of the rule in the IPv6 Rules section:

Rule itself:



This thread was automatically locked due to age.
Parents
  • +1

    HI , this is a known behaviour and answered in this thread.

    Reference ID is: NC-64820

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    OK, so if I were smart enough I could use conntrack to see that the HTTP(S) packet was flagged to be dropped but was also (because it's HTTP(S)) forwarded to the Web Proxy "Allowed". A bit tricky to straighten out in the GUI.

    I think of myself as not using the Web Proxy because I use DPI (and a Drop rule doesn't even give me those options), but now that you mention it I do see in System Services that the Web Proxy is running and I guess it could be the Web Proxy that's actually doing the dropping of restricted Web Categories URLs as well.

Reply
  • 0 in reply to Karlos

    OK, so if I were smart enough I could use conntrack to see that the HTTP(S) packet was flagged to be dropped but was also (because it's HTTP(S)) forwarded to the Web Proxy "Allowed". A bit tricky to straighten out in the GUI.

    I think of myself as not using the Web Proxy because I use DPI (and a Drop rule doesn't even give me those options), but now that you mention it I do see in System Services that the Web Proxy is running and I guess it could be the Web Proxy that's actually doing the dropping of restricted Web Categories URLs as well.

Children
Unfiltered HTML