Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First time user looking to switch from another product due to it being sold and stripped

Sophos Firewall is NOT very intuitive so far. Nothing inbound works...but the default rules to let everything outbound does. So figured id ask the community.

I've reverted to the simplest test I can think of....Port forward ICMP from WAN to a LAN workstation..

First turned on ICMP on the WAN adapter to make sure it was listening from outside. It was so I turned ICMP off.

Second made sure the Firewall can reach the workstation using its LAN connection, it can 

Created the Rule,

WAN, Any,  to  LAN, workstation 172.16.16.17  with the predefined PING

.Nothing. System isn't logging it. Just nothing. Cant forward anything.

At this point I cant test the system because it doesn't even port forward. Lots of time wasted trying to figure out why this easy test is so hard.   Thanks  



This thread was automatically locked due to age.
Parents
  • 2nd issue.  My internal server logs show the firewalls address instead of the connecting clients address. Can I fix this?  Plenty of other firewalls use iptables but don't seem to have this issue. What am I missing?  

    Being this is a WAN alias address i've created these two rules for in and out over WAN 49.

    Firewall rule

    #1 Inbound W49
    WAN, Any host
    LAN, WAN 49
    PING, Dest TCP 11799
    #1 G33 < W49
    LAN, Green 192.168.2.33
    WAN, Any host
    Any service

    NAT Rules

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07
    #1 G33 < W49
    Source: Green 192.168.2..33
    Service: Any service
    Destination: Any host
    Source: WAN 49
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:14
    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You have MASQ for the DNAT Rule. So the appliance will MASQ the DNAT Traffic. 

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07

    __________________________________________________________________________________________________________________

  • Without MASQ, & setting to original, the system wont allow replies from the LAN target 192.168.2.33. 

    What do you recommend? 

    Without MASQ a simple incoming ping gets lost on the reply.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • seems to be a routing issue of the device. 
    So to speak: if you leave it original, the server does not send the replies to SFOS. 

    Check the packet capture of the firewall and see, if you see replies by the server. 

    __________________________________________________________________________________________________________________

  • Logs show the firewall receives them on the return trip but does nothing with them when set to "original" 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Reply
  • Logs show the firewall receives them on the return trip but does nothing with them when set to "original" 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Children
  • Firewall Logs only show the initial packet. Check the packet capture for the traffic flow. 

    Link us a screenshot of the packet capture. 

    __________________________________________________________________________________________________________________

  • The traffic flow is a bit hard to track. The connection IDs stop at the firewall. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • The traffic flow is a bit hard to track. The connection IDs stop at the firewall. 

    I see no return to the Sender anywhere when Original is selected. I also don't see ICMP being returned from 192.168.2.33 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Likely because your server (192.168.2.33) answers to someone else. 
    What you see here is the actual packet capture on the interface (tcpdump). 

    If you say: MASQ works but original does not - This is 99% routing problem on the client. 

    The client receives your packet like you see here with the WAN IP and sends the reply to another destination (not firewall). If you do MASQ on the firewall, the client will answer the firewall directly. 

    You could do a wireshark dump on the client to check it. 

    I can guarantee you this is not a SFOS problem, instead a general network / routing problem within your network. 

    __________________________________________________________________________________________________________________

  • Only a non managed switch is between SFOS and workstation. The Gateway shown on the machine is the firewall. Simple network. That's why I'm perplexed on why the SFOS is giving me so much trouble with these simple tests. If the routing is incorrect its the SFOS,

    Any suggestions on what to possibly check? Seems like a lot of work for what other systems would consider a simple port forward. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I should add that i like most of the other features SFOS offers and have been working well and as expected. My current firewall sold out and is getting rid of alot of stuff that makes it what it is. Soooo if I can just figure out this strange issue to aliases and port forwards I might move forward.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Do you have a firewall rule on the server to permit pings from outside? What product do you use on the server? Windows for example can deny pings from the outside. 

    __________________________________________________________________________________________________________________

  • Server can't by default allow pings. 

    The test machines firewall is off and accepting ICMP from all networks. Nothing else is running that would intercept packets. Its straight Firewall to test machine and Test machine to Firewall. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Can you run a tcpdump on the product behind your firewall? I am still sure, it is a problem in your network and not the firewall. 

    What OS do you run there? does it allow tcpdump or wireshark? 

    __________________________________________________________________________________________________________________

  • You keep saying its not SFOS but if I change the NAT rules to use the standard #Port2 the ICMP packets get delivered as expected. 

    The issue is sending to the Alias #Port2:0. That's 100% SFOS. I must have something missing when creating the alias or SFOS isn't as you said routing alias traffic properly with out MASQ 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~