This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT rule goes thru and drop in the same moment - that drives me crazy!

Hello, I have created a DNAT rule (NAT rule #1) for the port https/443 to an internal server. (Traffic from Internet: Internet = Group of Sophos default definition: Internet IPv4 and ...IPv6).


In the firewall log I see that the packets are forwarded. But still in the same moment the packets are droped !??



If I switch the DNAT rule off and on again, then the packets are forwarded without droping?!! Here comes the second crazy thing: The forwarding do his job until the External (WAN) interface connection is re-established after 24 hours. (In Germany, a Internet (VDSL) connection is disconnected every 24 hours.). Then the droping of 443 start again until I do the step I decripted.

 

I have already checked my other firewall rules, but here I have no rule for port 443/https that could cause the problem.

How can I find out which setting or rule is responsible for the behaviour? I don't want to manually turn the DNAT rule off and on every day :-(



This thread was automatically locked due to age.
Parents
  • Hi,

    You already know that this isn't normal behavior.  If Briain's suggestion doesn't fix this, please show us a line from the full Firewall log file corresponding to one of those blocks in the Live Log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I bet MasterRoshi is right that you've violated #3 in Rulz (last updated 2019-04-17), but if you want to recognize similar problems, post that Firewall log file line I asked for above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    longtime security guru of the sophos forum ;-) Thank you for many helpful comments in other disscussions! That helped me for better understanding firewall security. I've wanted to say this for a long time.


    Anyway. I checked the Rulez just before I opened up this discussion, and also a second time after the last update. But I can't find an error in my config.

     

    In the meantime I reverted the changes onto my firewall rules I descripted in my reply to MasterRoshi (I changed destination back to "Any"). Now I will test the behavior with this change. But when that will works, it's also not a resilient solution, because now I have a guest vlan and no host from management lan should reach a host onto the guest vlan...

    P.S: Yes, I've already get your how-to "Configure HTTP Proxy for a Network of Guests", thanks again for that :-)

  • Hi @ all, after changing the destination of my internet firewall rules from "Internet IPv4" to "Any" yesterday, this morning (after automatic WAN re-connect) I get sadly the same error behavior :-(

    Here the corresponding full firewall log:


    2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="ppp0" srcip="84.152.xxx.xx" dstip="217.95.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="61" srcport="52904" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="ppp0" outitf="eth0" srcmac="80:ee:73:b7:78:de" srcip="84.152.xxx.xx" dstip="192.168.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="52904" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="ppp0" srcip="84.152.xxx.xx" dstip="217.95.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="61" srcport="45388" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="ppp0" outitf="eth0" srcmac="80:ee:73:b7:78:de" srcip="84.152.xxx.xx" dstip="192.168.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="45388" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="ppp0" srcip="84.152.xxx.xx" dstip="217.95.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="61" srcport="42455" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="ppp0" outitf="eth0" srcmac="80:ee:73:b7:78:de" srcip="84.152.xxx.xx" dstip="192.168.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="42455" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="ppp0" srcip="84.152.xxx.xx" dstip="217.95.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="61" srcport="38831" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="ppp0" outitf="eth0" srcmac="80:ee:73:b7:78:de" srcip="84.152.xxx.xx" dstip="192.168.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="60" srcport="38831" dstport="443" tcpflags="SYN" 2019:04:23-08:14:17 sophos-utm ulogd[1892]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="ppp0" srcip="84.152.xxx.xx" dstip="217.95.xxx.xx" proto="6" length="60" tos="0x00" prec="0x00" ttl="61" srcport="57747" dstport="443" tcpflags="SYN"



    My Sophos UTM version: 9.601-5

    My current config:


    My only firewall rule, where port 443 is included:


    What can I done? I have no more ideas...

    Is there any (new after update) firewall function, service or setting, that claims the port 443 for itself (maybe Let's Encrypt etc. ?!).
    Or as MasterRoshi suspects: "To me this looks like when your WAN goes down every 24 hours and comes back up, the iptables entries for the DNAT are not coming back with it but it does when you toggle the rule."

    Before I don't have problems with forewarding port 443 in the same way I descripted.

  • The packet was dropped out of the FORWARD chain (fwrule="60002").  Since we can see that the mail server object has not been bound to a specific interface, this confirms that the UTM is "forgetting" the automatic firewall rule you selected.  I would first try deleting the DNAT and creating a new one using "Internet" as the source instead of the "Any" object.

    Sometimes, an Up2Date will damage a configuration.  It's rare, but it does happen.  If recreating the DNAT didn't work, make a new config backup and restore from the one made prior to the last application of Up2Dates.

    If all else fails, add "Internet" to 'Sources' in the firewall rule you showed us.

    Please share your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • The packet was dropped out of the FORWARD chain (fwrule="60002").  Since we can see that the mail server object has not been bound to a specific interface, this confirms that the UTM is "forgetting" the automatic firewall rule you selected.  I would first try deleting the DNAT and creating a new one using "Internet" as the source instead of the "Any" object.

    Sometimes, an Up2Date will damage a configuration.  It's rare, but it does happen.  If recreating the DNAT didn't work, make a new config backup and restore from the one made prior to the last application of Up2Dates.

    If all else fails, add "Internet" to 'Sources' in the firewall rule you showed us.

    Please share your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data