Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deny Access to Uplink Interface Network

newit1

Hello,

first sorry for my english.

My sg utm 230 has actually 3 Interfaces.

ETH0 Internal Network: 172.16.30.0/24
ETH1 Internet with static IP
ETH2 Internet: 172.16.31.254/24 with Default Gateway 172.16.31.1/24

I created a masquerading rule:
Network: 172.16.30.0/24 -> Uplink Interfaces

I created this firewall rules:
Network: 172.16.30.0/24 -> WebSurfing -> Internet IPv4
ACTION: Allow

After this, clients in network 172.16.30.0/24 has access to any server in network 172.16.31.0/24.
I don't like this. I try to deny access with a firewall rule on top:
Network: 172.16.30.0/24 -> any -> Network: 172.16.31.0/24
ACTION: DROP

But it doesn't works...
What is wrong on my Configuration?

Thank you for help.



This thread was automatically locked due to age.
  • 0

    1. possible there are "hidden" rules created by some checkbox "automatic firewall-rule" - select "all" within view-selector on top of firewall-rules

    2. ICMP my not be handled from rule-set if "firewall/ICMP -> "ICMP over Gateway" is set

    3. Transparent Proxy may allow HTTP(s) access to this network - (create an exception for destination 172.16.31.0/24)  - but don't check "auto FW-Rule"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    1. no hidden Firewall Rules
    2. "ICMP ober Gateway" is set. After turn off i get no reply for ping, but http/s traffic is possible.
    3: Where i can find this? 

    Thanks 

  • 0 in reply to newit1

    3. WebProtection / Filtering Options / Misc / Transparent Mode Skiplist

    otherwise, the Transparent Proxy (if enabled) catches the traffic, and you have no chance to block this by firewall


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to newit1

    Hallo and welcome to the UTM Community!

    To understand why Dirk gave you that advice, see #2 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML