This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole DNAT not working

Hello,

I want to be able to block a clients complete traffic to the internet on the UTM.

To not create seperate firewall and web protection rules, I found out that you can create a blackhole DNAT rule so that all traffic for this clients goes to nirvana. I tried the following:

1. Created new group "BAD_CLIENTS". There I can put the clients to block with their IP or DNS name, e.g. "192.168.1.222" or "CLIENT-122.DOMAIN.LOCAL".

2. Created new DNAT rule with automatically created firewall rule:

Position: 1

Type: DNAT

Source: Group "BAD_CLIENTS"

Service: Any

Destination: Internet IPv4

---

Change Destination: 1.2.3.4

 

The clients in the BAD_CLIENTS group are not longer able to ping any internet adress, e.g. google.com. But they can still access all internet via browser??

Is my configuration wrong or am I thinking wrong?

 

What is the fastest, easiest and effective way to block all internet traffic of clients?



This thread was automatically locked due to age.
  • i think your "bad client" use the proxy and the blackhole DNAT rule don't match.

    try to add your BAD_CLIENTS group to the transparent-proxy exceptions.

    If you use Proxy in standard mode, build a Proxy profile for clients from "BAD_CLIENTS group" and deny all webpages.

    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • dirkkotte said:

    i think your "bad client" use the proxy and the blackhole DNAT rule don't match.

    I thought DNAT comes before Web Filter...?

     

    dirkkotte said:

    try to add your BAD_CLIENTS group to the transparent-proxy exceptions.

    Great, seems to work, thank you.

     

    dirkkotte said:

    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.

    Do you mean the two pictures at the end of the Rulz Post? I already saw them but could not interprate them really for me problem.

     

    One more question:

    Now I have these two points:

    1. DNAT rule for BAD_CLIENTS so that all their traffic will be redirected to nirvana (except website access using web filter transparent proxy)

    2. Web filter transparent proxy exeption for BAD_CLIENTS so that their website accesses are not going to the webfilter.

    -> Now the only thing I have to do for blocking a clients whole internet traffic is to add the client to the BAD_CLIENTS group. Correct?

    --> I can add clients with their IP or DNS name. Is it possible to add their MAC address?

  • dirkkotte said:

    ...
    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it. 

    here you go #2 in https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

    Picture at the bottom 


    Best regards 

    -

  • Alexander Busch said:

    Thank you, I already postet the Rulz link above but thought DNAT is before Webfilter (proxy) so wondering why web surfing works for the client how is in the blackhole dnat rule.

  • Hallo Horsting,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.  )

    It sounds like your BAD_CLIENT is using the Proxy in Standard mode, so you will want to add "Internal (Address)" to the 'Going to' section of your DNAT.

    Also, 1.2.3.4 is reserved for Sophos APs to contact the UTM.  The Rulz post suggests using an IPv4 address in 240.0.0.0/4.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo Bob, gerne auch auf Deutsch :)

     

    BAlfson said:
    Also, 1.2.3.4 is reserved for Sophos APs to contact the UTM.  The Rulz post suggests using an IPv4 address in 240.0.0.0/4.

    Das mit 1.2.3.4 habe ich auch schon gesehen, habe schon eine andere nicht erreichbare IP eingetragen. Aber trotzdem Danke für die Info.

     

    BAlfson said:
    It sounds like your BAD_CLIENT is using the Proxy in Standard mode, so you will want to add "Internal (Address)" to the 'Going to' section of your DNAT.

    Proxy = Web Protection -> Webfilter? Wenn ja: Der Webfilter läuft im Betriebsmodus Transparenzmodus. Ich habe wie von dirkkotte vorgeschlagen die Gruppe BAD_CLIENTS unter Web Protection -> Filteroptionen -> Sonstiges bei Transparenzmodus-Ausnahmen als Quellen hinzugefügt. Scheint auszureichen. Oder gibt es einen besseren/eleganteren/sichereren Weg?

     

    Besten Dank und schöne Grüße

  • Hallo Horsting,

    If you're in Transparent, then the solution suggested by Dirk is the most elegant one.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA