User Portal via WAF - fwrule="60005" - WebAdmin blocking rule - Port 2048

Hi,

have trouble to access the User Protal via WAF. 

Regardless of the definition of allowed networks, any access is blocked by this FW rule: "2 LOGDROP tcp -- !127.0.0.0/8 0.0.0.0/0 tcp spts:1:65535 dpt:2048 LOGMARK match 60005". It did not help, to NAT the connection via a internal IP nor to create a rule to allow the access. Why is an WebAdmin blocking rule build for the User Portal (according to the doc, 60005 is webadmin).

Thanks

Henri

2020:12:16-20:23:17 utm-1 ulogd[7924]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.201.88" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:17 utm-1 ulogd[7924]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60005" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.205.89" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:18 utm-1 ulogd[7924]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.201.88" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:18 utm-1 ulogd[7924]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60005" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.205.89" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:18 utm-1 ulogd[7924]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.201.88" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38232" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:18 utm-1 ulogd[7924]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60005" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.205.89" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38232" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:19 utm-1 ulogd[7924]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.201.88" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38232" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:19 utm-1 ulogd[7924]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60005" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.205.89" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38232" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:19 utm-1 ulogd[7924]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.201.88" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"
2020:12:16-20:23:19 utm-1 ulogd[7924]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60005" outitf="lo" srcmac="00:00:00:00:00:00" srcip="10.0.201.88" dstip="10.0.205.89" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="38230" dstport="2048" tcpflags="SYN"

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 LOGDROP tcp -- !127.0.0.0/8 0.0.0.0/0 tcp spts:1024:65535 dpt:4444 LOGMARK match 60005
2 LOGDROP tcp -- !127.0.0.0/8 0.0.0.0/0 tcp spts:1:65535 dpt:2048 LOGMARK match 60005
3 LOGDROP tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:4472 owner UID match 100
4 GEOIP_OUT all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,RELATED
5 LOCAL_RESTAPI tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3002
6 LOCAL_RESTAPI tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3498
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 !224.0.0.0/4 CONFIRMED match
9 CONFIRMED all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
10 CONFIRMED all -- 0.0.0.0/0 0.0.0.0/0 -m condition --condition "OUTPUT_ACCEPT_ALL" owner UID match 0 owner GID match 0
11 CONFIRMED tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:443 owner UID match 815 owner GID match 815
12 HA_OUT all -- 0.0.0.0/0 0.0.0.0/0
13 SANITY_CHECKS all -- 0.0.0.0/0 0.0.0.0/0
14 AUTO_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
15 USR_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
16 LOGDROP all -- 0.0.0.0/0 0.0.0.0/0 LOGMARK match 60003

  • Hallo Henri,

    WAF isn't supposed to be used for the User Portal, so I'm not surprised that the developers hadn't worried about this anomaly.

    Cheers - Bob

    Chain AUTO_INPUT (1 references)
    pkts bytes target prot opt in out source destination

    1 294 CONFIRMED udp -- eth7 * 0.0.0.0/0 0.0.0.0/0
    udp spts:1024:65535 multiport dports 415,8472
    2 3000 CONFIRMED tcp -- eth7 * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1024:65535 dpt:2712
    0 0 CONFIRMED tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 multiport dports 4501,4502
    0 0 CONFIRMED tcp -- * * 68.227.100.48 0.0.0.0/0
    tcp spts:1:65535 dpt:22
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set HPT9tmm1Ov8UVXxbB7+vTw src tcp spts:1:65535 dpt:22
    1 104 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set gzDwBdvZqvbZEirke06a8Q src tcp spts:1:65535 dpt:22
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_ERBKsidqnh src tcp spts:1:65535 dpt:22
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_DefaultSuperAdminNetwork src tcp spts:1:65535 dpt:22
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_DefaultSuperAdminGroupNetwork src tcp spts:1:65535 dpt:22
    0 0 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 dpt:22 LOGMARK match 60004
    0 0 CONFIRMED tcp -- * * 68.227.100.48 0.0.0.0/0
    tcp spts:1024:65535 dpt:4444
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1024:65535 dpt:4444
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_iQzMdMENMK src tcp spts:1024:65535 dpt:4444
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_DefaultSuperAdminNetwork src tcp spts:1024:65535 dpt:4444
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_DefaultSuperAdminGroupNetwork src tcp spts:1024:65535 dpt:4444
    0 0 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1024:65535 dpt:4444 LOGMARK match 60005
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 dpt:3400
    0 0 CONFIRMED tcp -- * * 68.227.100.48 0.0.0.0/0
    tcp spts:1:65535 dpt:2443
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set Nj57vb2KLXrCDwZJN7bBnw src tcp spts:1:65535 dpt:2443
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 3FXy8ZfYJciyXZK36t3v2Q src tcp spts:1:65535 dpt:2443
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_ERBKsidqnh src tcp spts:1:65535 dpt:2443
    2 746 CONFIRMED udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
    udp spt:67 dpt:68
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    multidev in-interfaces wlan4,eth7,wlan0 udp spts:67:68 dpt:67

    0 0 CONFIRMED tcp -- * * 172.30.0.20 0.0.0.0/0
    tcp spts:53:65535 dpt:53
    0 0 CONFIRMED udp -- * * 172.30.0.20 0.0.0.0/0
    udp spts:53:65535 dpt:53
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set mCStOO97PCRr0cPS0fEAyw src tcp spts:53:65535 dpt:53
    23 1632 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set mCStOO97PCRr0cPS0fEAyw src udp spts:53:65535 dpt:53
    0 0 CONFIRMED tcp -- * * 68.227.100.48 0.0.0.0/0
    tcp spts:1:65535 dpt:8080
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set NXOFXQf8uwGHz2GW2H559g src tcp spts:1:65535 dpt:8080
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set mCStOO97PCRr0cPS0fEAyw src tcp spts:1:65535 dpt:8080
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set 4_ERBKsidqnh src tcp spts:1:65535 dpt:8080
    5 676 CONFIRMED icmp -- * * 0.0.0.0/0 0.0.0.0/0

    0 0 CONFIRMED icmp -- * * 0.0.0.0/0 0.0.0.0/0
    icmptype 8 code 0
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    udp spts:1024:65535 multiport dports 33000:34000,44444:55555
    0 0 CONFIRMED esp -- * * 0.0.0.0/0 68.227.100.4
    8 esp spis:256:4294967295
    0 0 CONFIRMED 4 -- * * 0.0.0.0/0 68.227.100.4
    8 policy match dir in pol ipsec mode transport
    0 0 CONFIRMED 41 -- * * 0.0.0.0/0 68.227.100.4
    8 policy match dir in pol ipsec mode transport
    2 74 CONFIRMED udp -- * * 0.0.0.0/0 68.227.100.4
    8 udp spts:1:65535 multiport dports 500,4500
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 68.227.100.4
    8 udp spts:1024:65535 dpt:1701 policy match dir in pol ipsec mode transpo
    rt
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    udp spts:1:65535 dpt:443
    0 0 CONFIRMED udp -- * * 68.227.100.48 0.0.0.0/0
    udp spts:123:65535 dpt:123
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set NXOFXQf8uwGHz2GW2H559g src udp spts:123:65535 dpt:123
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set znrkliIyCoz58TfyYFdpeA src udp spts:123:65535 dpt:123
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set zUzQIZBeu2l7LKW4Y0focg src tcp spts:1:65535 multiport dports
    8110,8995 ctstate DNAT
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set zUzQIZBeu2l7LKW4Y0focg src tcp spts:1:65535 dpt:2121
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 dpt:113 reject-with icmp-port-unreachable
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1024:65535 dpt:1723
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 multiport dports 25,465,587
    0 0 CONFIRMED tcp -- * * 10.1.1.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:1080
    4 688 CONFIRMED udp -- * * 10.1.1.0/24 0.0.0.0/0
    udp spts:1:65535 dpts:1024:65535
    0 0 CONFIRMED udp -- * * 0.0.0.0/0 0.0.0.0/0
    match-set zUzQIZBeu2l7LKW4Y0focg src udp spts:1024:65535 dpt:161
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 0.0.0.0/0
    tcp spts:1:65535 dpt:3840
    0 0 CONFIRMED tcp -- * * 10.1.1.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 10.242.5.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 10.242.4.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 10.242.3.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 10.242.1.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 10.242.2.0/24 0.0.0.0/0
    tcp spts:1:65535 dpt:9980
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 68.227.100.4
    8 tcp spts:1:65535 dpt:443
    0 0 CONFIRMED tcp -- * * 0.0.0.0/0 68.227.100.4
    8 tcp spts:1:65535 dpt:80
    14 1601 CONFIRMED all -- * * 0.0.0.0/0 0.0.0.0/0
    mark match 0x40000/0x40000




     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks. Any way to get it working?

    Have here two ISPs, one with 5 public IPs and one with just one (can not get more), so when the first lines breaks, I have no backup.

    Usually our customers are blocking all non standard ports on their firewalls, so it's not possible to use any other port.

    Thanks

    Henri

  • I don't understand how WAF might help with an ISP failing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    have 10 domains, mapped to one IPV4 and switched by dyndns to the right ISP IPV4.

    More or less only port 443 is usable, because of the customers firewall restrictions.

    The Reverse Proxy is the trick.

    Cheers - Henri 

  • Agreed, but what does that have to do with the User Portal?  Ahhh - I see now!

    I always switch the SSL VPN to 1443 and the User Portal to 2443.  Is that not possible for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks. one customer needs access to the HTML5 VPN Portal, to access one of our Terminal Server. For any reason, his win10 system is unable to connect to our the Terminal Server Gateway (WAF), no problem with a fresh installed win10. I had no (large) customer in the last 10 year, were I could connect to any non 80/443 port. The User Portal is protected by a 32 chars password in conjunction with an OTP, so it should be safe enough. 

    Thanks

    Henri

  • Hi Bob,

    I tried port 44443, 1024 and 2048, same issue.

    Thanks

    Henri