The infamous fwrule="60001"

RE: The infamous fwrule="60001"

BAlfson — Mon, 03 Sep 2018 10:27:17 GMT

Hi Paul and welcome to the UTM Community!

Instead of looking elsewhere to get good advice, start in this community. If there's a better explanation of something elsewhere, you will find links here. In this case, not only is Richards' piece painfully long, it's wrong.

In the DNAT definition itself, you can use the green + icon to define any new item needed - no need to traipse all around WebAdmin.

See #5 in Rulz to understand that Richards himself was new to UTM when he created that piece.

Finally - the error causing your packets to be tossed overboard by the firewall... Your RDP definition is incorrect - the Source Port should be 1:65535, not 5000. The packet in your firewall log line didn't qualify because its source port was 47439. The standard RDP definition should have been used in a NAT rule like:

Internet -> {1:65535->1243} -> External (Address) : to {network service host} using RDP

In any case, I think the advice to use remote access is spot on. If you will have more than one person at a time using RDP remotely, I would use the SSL VPN. If it will never be more than one, the HTML5 method might be more to your liking.

Cheers - Bob

RE: The infamous fwrule="60001"

DouglasFoster — Fri, 31 Aug 2018 18:56:22 GMT

Read thus discussion snnd KB article.

community.sophos.com/.../latest-kbs-sophos-utm-how-to-avoid-rdp-brute-force-attacks

port substitution may.help, but tbere are absolutely a lot of bad guys doing password guessong attacks on RDP.

RE: The infamous fwrule="60001"

apijnappels — Fri, 31 Aug 2018 17:16:51 GMT

Are you sure you would like to have a RDP session open on the internet for everyone to (ab)use?

Also in step 3 it is recommended to set the interface to internal, while that will work, it might give you a lot of headache later on. It's best to leave the interface blank as default.

It is NOT RECOMMENDED to NAT to an RDP server from the internet, period! It's just not safe enough when you let everyone in the entire world connect to your RDP machine. Using a different port won't add much security (security through obscurity).

If you do need to RDP session then make the extra step and secure it behind a VPN or at the very least restrict the source IP's that are allowed to connect (but prefer the VPN).

RE: The infamous fwrule="60001"

Paul Dennis — Fri, 31 Aug 2018 07:50:14 GMT

Typo on the port number..

The steps I when through is outline here - https://fortwayneits.zendesk.com/hc/en-us/articles/235945188-How-to-do-Port-Forward-Translation-for-RDP-in-a-Sophos-UTM-9

Copied from the link. In a default installation should this work. My goal is have a RDP session incoming on port 1223 and connecting on the internal host on port 3389.

How to do Port Forward Translation for RDP in a Sophos UTM 9

Rees Richards

August 10, 2018 02:20

Step 1: Log into your SOPHOS UTM 9 appliance and go to "Definitions & Users"

Step 2: Click on "Network Definitions"

Step 3: Click "New Network Definition..." and create a "Host" for the computer you would like to Remote into by it's IP Address.

NOTE: Ensure that the "interface" is set to Internal

Step 4: Click on "Service Definitions" and add a "New Service Definition..."

Step 5: Here is where you specify the external Port for your connection

Step 6: Here is where you specify the internal Port of your connection (Port 3389 is the standard for Microsoft RDP)

NOTE: Your source Port needs to be the same as the Destination Port of Step 5

Step 7: Here is where you'll go to create the actual firewall rule. Go to "Network Protection" and click "NAT"

Step 8: Select "NAT"

Step 9: Click add "New NAT Rule..." at the top

Using service: This is the first service rule you created in "Step 5"

Change the destination to: This is the host you created in "Step 3"

And the service to: This is the second service rule you created in "Step 6"

Automatic firewall rule: This automatically creates a firewall rule to allow your RDP connection through

RE: The infamous fwrule="60001"

DKKDG — Fri, 31 Aug 2018 02:39:41 GMT

Hi Paul,

what is the goal you want to accomplish?

For sure you have to create firewall rules for any communication you want to allow.
All what is not defined ist blocked by default.

The log strip you put in here show a connection to port 4444.
This is the default webadmin port für any interface.
Try another port for your network service host. By the way did you created a DNAT rule.

Or try to check the Rulz No.3 by Bob

Best Regards
DKKDG