Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 654 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules not apply anymore

lucacin

Hello,

I have  the followig issue with my Sophos UTM:

-3 zone declared with 3 VLAN's: LAN, SMART and VIDEO

-rules to deny traffic to each other but have access to internet

-IPS activated

-Objects created with IP and MAC addess

Until 1 week ago, all trafic between SMART->LAN was restricted, but now i see that all traffic that is comming from SMART  have access to any network, no matter i added a explicit rule to deny traffic from SMART to ANY or from SMART to explicit IP with any protocol or a single protocol.

I have the latest version updated on the box.

I made a new instalation on another box and i see that the traffic is restricted as it should be, but my old box still do not deny traffic. It seems that is passing firewall rule no matter what object i create.

I can see the traffic on TCPDUMP  and also with conntrack, but is not reading the rules with deny traffic.

I see some references in confd REF_PacPacAnyFromSMART2', but i do not have any object SMART2 or any object with 2.

The traffic from LAN on the deny rule is working as it should.

Anybody can help me understand if this is a bug or a hand of a hacker?



This thread was automatically locked due to age.
Parents
  • 0

    Bună lucacin and welcome to the UTM Community!

    Mot people here can help better with raw information like inserted pictures of a configuration and log lines.  If you prefer, obfuscate IPs like 92.XX.YY.129, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    Let's start by selecting 'Log traffic' in the 'Advanced' section of any firewall rule you think is allowing or should block this traffic.  If you see nothing in the firewall log related to this traffic, is was allowed before reaching the rule you suspect.  Refer to #2 and #2.1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Bună lucacin and welcome to the UTM Community!

    Mot people here can help better with raw information like inserted pictures of a configuration and log lines.  If you prefer, obfuscate IPs like 92.XX.YY.129, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    Let's start by selecting 'Log traffic' in the 'Advanced' section of any firewall rule you think is allowing or should block this traffic.  If you see nothing in the firewall log related to this traffic, is was allowed before reaching the rule you suspect.  Refer to #2 and #2.1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML