This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating firewall rule to reject packets using a particular service (DNAT)

UTM 9.509

I have a NAT rule (for port forwarding) that I enable manually when I download torrents and disable when I am finished for extra security. However when I disable the NAT rule I receive a flood of logs for hours afterwards from peers attempting to connect to me. I suspect it's because the firewall is simply dropping the packets after the NAT rule is disabled and not replying back to the sender. This results in the senders attempting to resend the packets over and over again (for example when seeding a torrent  after it's download and then closing the torrent client, peers continue to try to download for hours even though they cannot connect).

 

Therefore I have created a firewall rule with the configuration ANY->Torrent Service->ANY->Reject

That rejects the packets and tells the peers that the firewall port is closed. But this has to be enabled manually as well. Is there a better method of doing this besides leaving NAT enabled and having the host firewall (Windows Defender firewall) reject the packets instead of the UTM?

 

And also have I done the firewall rule right by placing it at the top and with this rule would it be safe to leave the NAT rule enabled?



This thread was automatically locked due to age.
Parents
  •  I have created a firewall rule

    ANY->Torrent (service)->External network->Reject. And placed the rule at the bottom of the rule list.

     

    However all the packets using the torrent service are being dropped not rejected (Default DROP). What am I doing wrong? Do I need an intrusion detection exception for that service. It's not the intrusion prevention that's dropping the packets, but the firewall. 

  • Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to one of those bittorrent lines above.

    Your firewall rule should have worked.  Instead of "External (WAN) (Network)" with the "Desktop PC" Host, what happens if you just use the "(Address)" object?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to one of those bittorrent lines above.

    Your firewall rule should have worked.  Instead of "External (WAN) (Network)" with the "Desktop PC" Host, what happens if you just use the "(Address)" object?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks. The problem appears to have been fixed. I did not have "Log Traffic" selected in the firewall rule. I now have rejected traffic logs for traffic going to that port. However, when the DNAT rule is enabled it overrides the firewall rule and still forwards the packet to the "Desktop PC" anyways. DNAT has to be disabled. And even when the firewall rule to block is enabled, the firewall still forwards the traffic when DNAT is enabled. Why do NAT rules bypass firewall rules?

    2018:08:09-23:20:07 mysophosutm ulogd[5409]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="10" initf="eth0" mark="0x203c" app="60" srcmac="00:01:5c:8a:3c:46" dstmac="68:05:ca:58:20:28" srcip="141.136.116.234" dstip="XX.XX.XXX.XX" proto="17" length="145" tos="0x08" prec="0x20" ttl="103" srcport="48590" dstport="51413" 


  • Refer to #2 in Rulz, Alan.  If you want to use a firewall rule to drop some traffic and another to allow some, don't select 'Automatic firewall rules' in the DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you. That is a good checklist. I will read it.