The infamous fwrule="60001"

Question

Just performed a new installation of UTM 9. created network and service definition however access to this resource is being blocked. The firewall is logging the following. 
 2018:08:31-00:15:27 firewall ulogd[1111]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac=&ldquo;00:00:00:00:00&rdquo; dstmac="00:0e:c0:00:00:00&rdquo; srcip=&ldquo;some wan IP&ldquo; dstip=&ldquo;network service host&rdquo; proto="6" length="60" tos="0x00" prec="0x20" ttl="57" srcport="47439" dstport=&ldquo;4444&rdquo; tcpflags="SYN" Are there any specific rules that I need to create to all incoming traffic? I've looked through a few articles on the error but could not get it to work.

BAlfson · Answer

Hi Paul and welcome to the UTM Community! 
 Instead of looking elsewhere to get good advice, start in this community. If there's a better explanation of something elsewhere, you will find links here. In this case, not only is Richards' piece painfully long, it's wrong. 
 In the DNAT definition itself, you can use the green + icon to define any new item needed - no need to traipse all around WebAdmin. 
 See #5 in Rulz to understand that Richards himself was new to UTM when he created that piece. 
 Finally - the error causing your packets to be tossed overboard by the firewall... Your RDP definition is incorrect - the Source Port should be 1:65535, not 5000. The packet in your firewall log line didn't qualify because its source port was 47439. The standard RDP definition should have been used in a NAT rule like: 
 Internet -> {1:65535->1243} -> External (Address) : to {network service host} using RDP 
 In any case, I think the advice to use remote access is spot on. If you will have more than one person at a time using RDP remotely, I would use the SSL VPN. If it will never be more than one, the HTML5 method might be more to your liking. 
 Cheers - Bob

The infamous fwrule="60001"

How to do Port Forward Translation for RDP in a Sophos UTM 9