Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule Doesn´t Work Сorrectly

Good afternoon I work at Virtual Box. I have three virtual machines. The first is the Sophos firewall, the second is the Windows 10 client. And on the third I have an Ubuntu server.

The task is to block traffic from the Windows 10 client to the Ubunu server, while creating a firewall policy.

I did everything right but it doesn’t work for me, the task is to block ping from Windows 10 to the Ubuntu server. All three virtual machines are located on a common network.

1. Here is my Sophos IP.

2. This is Windows 10 Cliente IP

3. And Ubuntu Server IP

4. And this is my Policy Firewall, so this policy needs to block all internet traffic and also LAN traffic.

5. Here you can see thas is activated.

6. If I go to www.google.com for example. This Policy is working exactly.

7. But If I try to do ping from Windows 10 client (LAN) to Ubuntu Server (LAN) it working, but shouldn't be work.

Please, help me! I'm glad for anu help!



This thread was automatically locked due to age.
Parents
  • Sorry, but it looks like you’re missing some basic network-knowledge.

    Your VMs can communicate because they’re within the same Network/Subnet. Within the same Subnet alle devices will communicate directly and do not route traffic through gateway.

    Due to this - traffic will never pass your Sophos Firewall / Gateway.
    Only Traffic to WAN will be sent there - that’s why blocking google works.

    You should create another network on another Port of your Sophos Firewall and connect one VM to that Network.
    Then traffic between those multiple internal networks can pass gateway/firewall.

  • Hello FFin. The fact is that I want to install an Ubuntu server in the DMZ, and do it in Sophos. And also the Windows 10 client must send traffic through this firewall, and the firewall must block this traffic that goes to the DMZ. The Ubunut server should be running in the DMZ and the traffic should be blocked.

    I tried to do this without the DMZ, but if you’re right, then there really won’t be any traffic flowing through.

    What configurations do I need to fix? Let's change the IP or ports.

  • Create another Interface on Sophos e.g. Port 3 with: 10.0.0.254/24 and connect one VM with that. Then give VM IP 10.0.0.10/24 with Gateway and DNS 10.0.0.254.

  • It's just like FFin says; when hosts are in the same subnet they respond to a broadcast package in the subnet and there's no firewall to prevent this from happening.

    Furthermore you should be more granular with your rules especially if you want to block. An any-any-any rule will just apply to any traffic passing the firewall. You will at least need to configure either source, destination or both other than any and possibly also define services.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Ok, so I have IP for the Port3. 10.0.0.10/24 for which virtual machine should I installю

    So what IP I need to assign for the ubuntu server 

    And for the Windows 10 

  • Keep Windows 10 as it is and then connect Ubuntu to Port C and give IP 10.0.0.10/24 with DNS & Gateway 10.0.0.254 (Sophos)

  • This configuration is correct? Will there be connection failures, since Sofos has IP 172.16.16.16 and will the connection work?

  • Looking good.

    When you connect with PortC everything should be fine as Sophos has 10.0.0.254 in that network. So both are within same subnet.

    But you might need another firewall-rule from DMZ to WAN. And of course LAN to DMZ and DMZ to LAN to communicate between Windows 10 and Ubuntu.

Reply
  • Looking good.

    When you connect with PortC everything should be fine as Sophos has 10.0.0.254 in that network. So both are within same subnet.

    But you might need another firewall-rule from DMZ to WAN. And of course LAN to DMZ and DMZ to LAN to communicate between Windows 10 and Ubuntu.

Children