Rule change not applied unless restart.

I'm having to restart this system to get Firewall / NAT rules enforced when changes are applied. This seems to happen with quite a few people in the community. 

I've found sometimes disabling the firewall rule that feeds a NAT rule loads the additions but it doesn't always work and leads me to think my rules aren't correct when they are.

What is the best way to ensure SFOS 20 GA loads its rules upon changes? Any console commands? Restarting this system over and over is silly. 



Added TAGs
[edited by: Raphael Alganes at 1:31 AM (GMT -8) on 8 Mar 2024]
Parents
  • So most people have problems with the "expectations". Firewall and NAT Rules will not modify current connections, which mean, if you have a open connection, changing the Firewall rule, will it not destroy the connection. 

    Do you have an open connection while changing it? 

    __________________________________________________________________________________________________________________

  • Its possible connections are established. I'm still testing the system so its not in production. How do I force the changes made?

    2nd question... If SFOS 20 won't destroy a connection...how does one destroy a connection if it needs to be destroyed?

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You can destroy them via current activity and the connection tab.

    Or you flush all connection by using the command: conntrack -F 

    __________________________________________________________________________________________________________________

  • conntrack -F works - Thanks !!  The nuclear option as all connections get flushed. Maybe Sofos will fix the system so on rule changes only connections based on the rules flow gets killed.

    "expectations" are when changes get made they get enforced. With modern networking expecting all connection to be closed isn't practical. Some connections can stay open forever...seems more sane to let the connection be reestablished as it happens almost instantly. 

    FYI: It seems you can only disconnect "live users" not Connections via the GUI.

    Any other commands or tips?

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Actually, most products are not closing the connections based on a rule change. UTM did not do it, SFOS is not doing it. 

    Because that is the basic of stateful firewalls to not close the connections. 

    You can close connections via CLI: https://support.sophos.com/support/s/article/KB-000044946?language=en_US

    Or on the webadmin: 

    __________________________________________________________________________________________________________________

  • You wrote "  most products are not closing the connections based on a rule change" 

    Not sure what "most products" you're referring to. This is the first system I've had to ask. Products I've tested have a save, commit, run, execute or schedule. .

    I appreciate all the help. The connection list "Manage" was off the screen so thanks for the pic. This caused me to double check. Now that i know what's happening its useable.  :) 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Just to make sure: What products do that kind of termination of ALL affected rules based on the firewall rule? 
    So to speak: If you change a firewall rule in a product, does that mean, that ALL Connections, which were allowed, are being destroyed? 
    Because that is essentially the consequence here. 

    I have asked ChatGPT on that matter as well: 

    Stateful Firewalls:

    • Altering Rule: If you alter a rule in a stateful firewall, it might affect new connections that match the modified rule. However, established connections are usually not immediately affected.
    • Turning Off Rule: Disabling a rule might impact new connections immediately, but established connections are often allowed to continue until they naturally close.

    Immediate Enforcement:

    • Some firewalls might enforce rule changes immediately, affecting all traffic, including established connections. This is less common in stateful firewalls but can happen in certain configurations.

    So there are certainly products to do this - Because they build own processes for it, but it is not "common" to do this. 

    __________________________________________________________________________________________________________________

Reply
  • Just to make sure: What products do that kind of termination of ALL affected rules based on the firewall rule? 
    So to speak: If you change a firewall rule in a product, does that mean, that ALL Connections, which were allowed, are being destroyed? 
    Because that is essentially the consequence here. 

    I have asked ChatGPT on that matter as well: 

    Stateful Firewalls:

    • Altering Rule: If you alter a rule in a stateful firewall, it might affect new connections that match the modified rule. However, established connections are usually not immediately affected.
    • Turning Off Rule: Disabling a rule might impact new connections immediately, but established connections are often allowed to continue until they naturally close.

    Immediate Enforcement:

    • Some firewalls might enforce rule changes immediately, affecting all traffic, including established connections. This is less common in stateful firewalls but can happen in certain configurations.

    So there are certainly products to do this - Because they build own processes for it, but it is not "common" to do this. 

    __________________________________________________________________________________________________________________

Children
  • Stateful Inspection firewalls have been around since the 90s so they aren't anything new. I've been using them since IBM wrote ISA for Microsoft / Internet Security Systems. To list what I've used. ISS, Cisco, pfsence, astaro, smoothwall, Arista, PaloAlto, Checkpoint. Never had to ask why a rule isn't being applied. Again thanks for the info. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I should add that when I used Astaro it was for testing way back when like early 2000s. I understand Astaro is the roots of SFOS.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Totally unrelated.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Meaning its so far removed from Astaro? In any event LuCar Toni you have a great grasp on SFOS so again I thank you sir. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Meaning its so far removed from Astaro?

    Sophos UTM was a lot like Astaro. Once Sophos moved from UTM to SG it became quite a different product.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Not always the case. From the PFSense manual on troubleshooting:

    New Rules Are Not Applied

    If a new rule does not appear to apply, there are a couple possible explanations.

    First, If the rule is a block rule and there is a state table entry, the open connection will not be cut off. SeeCheck the Status Table.

    ...