3CX DLL-Sideloading attack: What you need to know
HelloI have searched and can see others have this issue, however none of the solutions have worked for me so far.I have followed the steps at https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings to create the following policies, with the intention of allowing WAN -> LAN traffic the specified ports:
NAT Rule:
Sophos Public Address is an IP 192.168.0.90
Valheim Server is an IP 172.16.50.110
Firewall Rule:
The service 'Valheim' is defined as:
The packet captures I have been getting are as follows:
(apologies for drop-packet as an image and not plain text)
Any help would be greatly appreciated
Firewall Rule has to be Sophos_Public IP and your Server as Zone in Destination Section.
And the NAT Rule is not applied. The Service is off: You need to change the Source Port to 1:65500 to include the high ports.
__________________________________________________________________________________________________________________
Hi - thanks for your response!I have made the following adjustments:Service is now TCP&UDP 1:65500 / 2456:2458I'm not sure I understood your directions on the firewall rule correctly, but I have done the following:Destination Zone is now WAN, and Destination Network is Sophos Public Address.I have run some further packet captures and am still seeing the Violation / Local_ACL result.
The Firewall Rule should be: DMZ Zone and Sophos Public Address.
Hi againI've tried the each of following configurations on the firewall rule, all to no success - I still see Violation / Local_ACL on the packet capture.
Destination Address
(Game_Server_Zone is a LAN zone, I created Game_Server_DMZ as a DMZ zone just for testing purposes)
Is there something somewhere else I may have gotten wrong that I should check?
Hi Lucar - thanks for your helpBetween your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:
In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\
In any instance, my issue should be resolved now, thanks again.EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.
Hello Hugh,
It's not bug but intended behavior.
Once your traffic will match any NAT rule, it won't traverse below.
Same applies to Firewall rule as well.
Regards,
Sanket Shah
Senior Development Manager, Sophos Firewall
Hello SanketThanks for the explanation - I hadn't expected the traffic to match with the default rule.