WAF - VServer config problem

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 18:32:56 GMT

Problem solved. I've had "legacy" DNAT rule that has been hit when traffic was from Internet. User Lucar Toni has driven me into packet capture which showed me that hit was taking place.

I totally forgot about it.

After removing the rule, everything is working fine.

Thanks for support!

P.s.

If I should mark this thread some more than "this is the answer", tell me. I'll do it

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 15:47:28 GMT

I think I found it! Thanks for hint with WebGUI Packet capture, cause it gives you info which rules are in use.

This put me back on track. I must say - I'm dumb, cause about 3 weeks before I tried to enable NextCloud AiO which had port 11000 as default listen port for it service.

I forgot that I mangled initially - trying to do DNAT, which I failed and left the topic for some time.

Recently I got back to it with more correct approach - WAF + Web server, but I haven't clean up the old DNAT rules.

After deleting NAT rule # 3 everything works fine!!! :)

Thanks - I learned something about Sophos FW TShoot - with drppkt & webgui tcpdump :)

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 15:18:34 GMT

I will. I can add for the moment, that this is quite fresh install with just few FW rules accepting Chrome Remote Desktop, FTP, SMB for the server we speak about.

No any fancy stuff there (yet) :)

RE: WAF - VServer config problem

LuCar Toni — Tue, 12 Nov 2024 15:10:59 GMT

If drppkt is not dropping / logging, this is an indicator, that something else is accepting this.

Double check: Ports used for SSLVPN, VPN Portal, User Portal in Webadmin.

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 15:05:19 GMT

Thanks for hints.
Now I see that requests from LAN are ok. but requests from Internet are being dropped on FW and this is observed with tcpdump only. I don't see any rule hit, log entries and I need a bit more time with drppkt - but as for now I tried to grep with TCP or 443 and nothing is being returned when I request from Internet.

Only TCPDump TCP RST after the handshake is done

RE: WAF - VServer config problem

LuCar Toni — Tue, 12 Nov 2024 14:54:48 GMT

Community is very senstive setup due the attacks and phishing attemps. Try to avoid URLs in that form.

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 14:22:18 GMT

thats my type'o. sorry for that.

real server use https://nextcloud.home:8081

I corrected it and my post has been marked as abusive. I appealed. Admins said - ok. and the post came back uncorrected.
So I corrected it again. The post was marked as abusive. I appealed. Admins said - ok. and the post came back uncorrected.

... :-)

RE: WAF - VServer config problem

LuCar Toni — Tue, 12 Nov 2024 10:51:21 GMT

Maybe you should filter with a Pipe.

drppkt | grep 443

RE: WAF - VServer config problem

LuCar Toni — Tue, 12 Nov 2024 10:33:25 GMT

Try the drop packet capture on the firewall console.

drppkt is the command.

And check the packet capture on the webadmin for the same, if you see consumed traffic.

RE: WAF - VServer config problem

LuCar Toni — Tue, 12 Nov 2024 10:25:21 GMT

You said, the real server is using HTTPS, so you should select HTTPS as the real server as well.

Do you have any kind of reverseproxy.log entries? This is the first step to check, if the WAF is actually used or something else blocked it.

RE: WAF - VServer config problem

Shadow82 — Tue, 12 Nov 2024 10:19:55 GMT

There are none logs when I try to connect from Internet. Only TCP RST from FW.

Fun fact - if I connect from my LAN to the url (LAN has DNS entry for https://drive.acme.com ==> 192.168.1.10). From LAN it works, so we might say the WAF rules config on FW is ok. but the traffic coming from Internet is being dropped and I don't know why

Request from LAN to https://drive.acme.com - ok.

SFVH_VM01_SFOS 20.0.2 MR-2-Build378# tcpdump host 192.168.1.69 and port 443 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:19:38.190468 PortB, IN: IP 192.168.1.69.26962 > 192.168.1.10.443: Flags [F.], seq 580342173, ack 3022210096, win 2053, length 0
11:19:38.190505 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26962: Flags [.], ack 1, win 411, length 0
11:19:38.190515 PortB, IN: IP 192.168.1.69.26962 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
11:19:38.190519 PortB, IN: IP 192.168.1.69.26963 > 192.168.1.10.443: Flags [F.], seq 3367240768, ack 916219605, win 1022, length 0
11:19:38.190527 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26963: Flags [.], ack 1, win 434, length 0
11:19:38.190531 PortB, IN: IP 192.168.1.69.26963 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
11:19:38.190696 PortB, IN: IP 192.168.1.69.26961 > 192.168.1.10.443: Flags [F.], seq 425507548, ack 4175423194, win 1026, length 0
11:19:38.190697 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [S], seq 153100110, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:19:38.190707 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26961: Flags [.], ack 1, win 616, length 0
11:19:38.190712 PortB, IN: IP 192.168.1.69.26961 > 192.168.1.10.443: Flags [R.], seq 1, ack 1, win 0, length 0
11:19:38.190734 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [S.], seq 816268867, ack 153100111, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:19:38.190986 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [S], seq 545524837, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:19:38.191004 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [S.], seq 979956694, ack 545524838, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:19:38.191580 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 1, win 1026, length 0
11:19:38.191836 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], seq 1:1461, ack 1, win 1026, length 1460
11:19:38.191844 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 1461, win 251, length 0
11:19:38.191851 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1461:1825, ack 1, win 1026, length 364
11:19:38.191853 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 1825, win 274, length 0
11:19:38.192089 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [.], ack 1, win 1026, length 0
11:19:38.192177 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 1:157, ack 1825, win 274, length 156
11:19:38.192356 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [.], seq 1:1461, ack 1, win 1026, length 1460
11:19:38.192361 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1461, win 251, length 0
11:19:38.192369 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [P.], seq 1461:1761, ack 1, win 1026, length 300
11:19:38.192370 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1761, win 274, length 0
11:19:38.192490 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [P.], seq 1:157, ack 1761, win 274, length 156
11:19:38.193137 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1825:1876, ack 157, win 1025, length 51
11:19:38.193142 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 1876:2979, ack 157, win 1025, length 1103
11:19:38.193150 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], ack 2979, win 297, length 0
11:19:38.193400 PortB, IN: IP 192.168.1.69.26993 > 192.168.1.10.443: Flags [P.], seq 1761:1812, ack 157, win 1025, length 51
11:19:38.231266 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 157:1617, ack 2979, win 297, length 1460
11:19:38.231279 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 1617:3077, ack 2979, win 297, length 1460
11:19:38.231285 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 3077:4537, ack 2979, win 297, length 1460
11:19:38.231290 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 4537:5997, ack 2979, win 297, length 1460
11:19:38.231295 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 5997:7457, ack 2979, win 297, length 1460
11:19:38.231300 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 7457:8378, ack 2979, win 297, length 921
11:19:38.231328 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 8378:8850, ack 2979, win 297, length 472
11:19:38.232527 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 8850, win 1026, length 0
11:19:38.239746 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26993: Flags [.], ack 1812, win 274, length 0
11:19:40.963822 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [P.], seq 2979:3933, ack 8850, win 8195, length 954
11:19:40.984071 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 8850:10310, ack 3933, win 320, length 1460
11:19:40.984095 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 10310:11770, ack 3933, win 320, length 1460
11:19:40.984103 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 11770:13230, ack 3933, win 320, length 1460
11:19:40.984108 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [.], seq 13230:14690, ack 3933, win 320, length 1460
11:19:40.984114 PortB, OUT: IP 192.168.1.10.443 > 192.168.1.69.26992: Flags [P.], seq 14690:15374, ack 3933, win 320, length 684
11:19:40.985355 PortB, IN: IP 192.168.1.69.26992 > 192.168.1.10.443: Flags [.], ack 15374, win 8195, length 0

Request from Internet to https://drive.acme.com - RST

11:17:33.994862 PortB, IN: IP 31.61.248.85.24739 > 192.168.1.10.443: Flags [S], seq 76282307, win 65535, options [mss 1220,nop,wscale 4,sackOK,TS val 534791239 ecr 0], length 0
11:17:33.996043 PortB, OUT: IP 192.168.1.10.443 > 31.61.248.85.24739: Flags [R.], seq 0, ack 76282308, win 0, length 0
11:17:34.034853 PortB, IN: IP 31.61.248.85.1213 > 192.168.1.10.443: Flags [S], seq 2687500049, win 65535, options [mss 1220,nop,wscale 4,sackOK,TS val 534791278 ecr 0], length 0
11:17:34.035632 PortB, OUT: IP 192.168.1.10.443 > 31.61.248.85.1213: Flags [R.], seq 0, ack 2687500050, win 0, length 0

Port forwarding looks good but FW drops if it sees request from pbulic IP (?)

RE: WAF - VServer config problem

FFin — Tue, 12 Nov 2024 09:19:59 GMT

When you can access your server internally via https://nextcloud.home:8081 you should go from Type "Plaintext (HHTP)" to HTTPS for Real Webserver Settings in Waf.
And add to your NextCloud config.php on Webserver:
'trusted_proxies'> ['internal IP of Sophos here'],