This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 Firewall Port 80 und 443 Standard erlaubt?

Hi Com,

mir ist in meiner UTM9 etwas aufgefallen.

Ich habe in der Firewall die Ports 80 und 443 von intern nach extern freigegeben.

Es spielt allerdings keine Rolle, ob ich diese Regel aktiv habe oder nicht.

Normalerweise sollte man auf keine Webseite mehr Zugriff haben, wenn Port 80 und 443 in der FW geblockt wird.

Was das komische ist, ich habe trotzdem Zugriff auf jede Internetseite, obwohl wie gesagt die zwei Ports geblockt werden laut FW Einstellungen.

Nur wenn ich DNS Anfragen blocke, habe ich kein Zugriff mehr auf das Internet. Was ja auch logisch ist, keine Namensauflösung keine Internetseite :)

Wenn ich DNS requests in der FW ausschalte, komme ich dennoch über die IP-Adresse auf die jeweilige Internetseite drauf, trotz http, https und DNS block.

Kann es sein, dass in der Firewall die Ports 80 und 443 standardmäßig schon freigegeben sind, und man diese mit der FW garnicht blocken kann?

Oder hat das einen anderen Hintergrund warum es nicht geblockt wird?

Danke im vorraus und viele Grüße

Sascha



This thread was automatically locked due to age.
Parents
  • Hallo Sascha,

    ich hatte letztens genau das selbe Problem. Allerdings ging es bei mir so weit, dass der Webfilter in dem Moment alle VLANs umgeht. Also blockt man den Traffic von einem ins andere VLAN kommt man per PORT 80 und 443 trotzdem noch übergreifend in the abgesperrten Bereiche, was eigentlich nicht sein darf. 

    Man muss dies dann umständlich im Webfilter blocken. Der Webfilter sitzt komplett außerhalb der Firewall und du kannst dort nix mehr wirklich blocken oder machen, was in meinen Augen eine ziemliche Lücke ist wenn man es nicht weiß und alles Weitere blockt. 

    Man kommt dann auch mal vom Kunden WLAN trotzdem noch auf alle Web-Dienste innerhalb des internen Netzes. 

    Gruß,
    René

  • Hallo René,

    (Sorry, my German-speaking brain still isn't creating thoughts at the moment. [:(])

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  Ich behaupte auch eine deutsche Version, die ursprünglich vom Mitglieder hallowach übersetzt wurde, als wir zusammen im Jahre 2013 eine große Revision machten.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    i've talked for that problem with my reseller and they made a ticket to Sophos and they told us what Sascha said. The Webfilter is out of the firewall. The the problem is my case is that i've 2 VLANs for WLAN. One is an internal Network and one is a Guest network. So in the Firewall i've blocked all the traffic from the Guest WLAN to the internal Network but could connect to all of the internal services. So the solution was the explicitly deny traffic from the network in the Webfilter. 

    But in my opinions it's a bug when you can access private parts of your network over VLANs or what do you think? The Webfilter should be before the Firewall and the firewall should block the traffic if it's said in the rule.

    And i think everyone understand it. =) 

  • I'm telling you that my consulting clients don't have that problem, René, and neither do people that have read the document I offered above.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • As i said. We debugged that for some hours and asked Sophos. And the return from the Sophos Support was that the Webfilter don't use the Firewall so you have to deny it in the webfilter. Otherwise all VLANs can talk to each other over the Webfilter. On another customer i've used the Sophos APs and i think there i don't have the problem but i have to test that the next time. 

    But i will check that with your paper and check if you go another way. 

  • It may look strange that firewall rules don't apply to the webfiltering, but in fact it's rather logical since your devices are not talking to each other directly, but they are all talking to the webfilter. Every request for a webpage is forwarded to the webfilter and the webfilter is requesting access on behalf of the original client and passes any output back to the requesting client.

    In a proxy it is more logical to maintain blocklists rather than allow lists, that's why you should configure in the proxy that your guest network should not be served with output from your internal network(s).

    Anyway, to set it all up, you can PM Bob for the document.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • It may look strange that firewall rules don't apply to the webfiltering, but in fact it's rather logical since your devices are not talking to each other directly, but they are all talking to the webfilter. Every request for a webpage is forwarded to the webfilter and the webfilter is requesting access on behalf of the original client and passes any output back to the requesting client.

    In a proxy it is more logical to maintain blocklists rather than allow lists, that's why you should configure in the proxy that your guest network should not be served with output from your internal network(s).

    Anyway, to set it all up, you can PM Bob for the document.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data