Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 2881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM v9.601 problem with DNAT + firewall drop

Nejc Menard

Hi community.

 

i am a home user, having problems with DNAT. it was working in previous versions... i am succesfully using WAF for web services (https), but not DNAT. well, they work as expected when activated, but next day they are not.

 

problem is like this, this is my accessing from outside:

2019:04:17-10:58:53 home ulogd[4923]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="ppp1" srcip="myexternalipelsewhere" dstip="myhomeip" proto="6" length="52" tos="0x00" prec="0x20" ttl="123" srcport="10401" dstport="3389" tcpflags="SYN" 
2019:04:17-10:58:53 home ulogd[4923]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="ppp1" outitf="eth1.10" srcmac="00:01:2e:6e:b0:09" srcip="myexternalipelsewhere" dstip="mylanip" proto="6" length="52" tos="0x00" prec="0x20" ttl="122" srcport="10401" dstport="3389" tcpflags="SYN"

after i restart DNAT rule it is like this:

2019:04:17-11:04:10 home ulogd[4923]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="ppp1" srcip="myexternalipelsewhere" dstip="myhomeip" proto="6" length="52" tos="0x00" prec="0x20" ttl="123" srcport="10800" dstport="3389" tcpflags="SYN" 

i really did only turned off the DNAT and then reenabled. it works even after system restart...??

ofcourse there are country based drops that are ok:
2019:04:17-11:08:08 home ulogd[4923]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="ppp1" srcip="188.246.224.47" dstip="myhomeip" proto="6" length="40" tos="0x08" prec="0x00" ttl="242" srcport="60000" dstport="3389" tcpflags="SYN" 
2019:04:17-11:08:08 home ulogd[4923]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="ppp1" outitf="eth1.10" srcmac="00:01:2e:6e:b0:09" srcip="188.246.224.47" dstip="mylanip" proto="6" length="40" tos="0x08" prec="0x00" ttl="241" srcport="60000" dstport="3389" tcpflags="SYN" 

WAF for now works as expected.

i did have some problems with dyndns and wan interfaces ip; was solved with system reset, i hope it does not rewoke.

another thing for this version; using web admin, after time out it does not logout, it just caches objects (just like before initial login) infinite. (using chrome)

thank you for any suggestions.




UTM active services:
Firewall is active with 28 rules
Status: Enabled Intrusion Prevention is active with 1660 of 35029 patterns

Status: Enabled Web Filtering is active, 22053 requests served today
Status: Disabled Network Visibility is inactive
Status: Disabled SMTP Proxy is inactive
Status: Enabled POP3 Proxy is active, 0 emails processed, 0 emails blocked

Status: Disabled RED is inactive
Status: Disabled Wireless Protection is inactive
Status: Disabled Endpoint Protection is inactive

Status: Disabled Site-to-Site VPN is inactive
Status: Enabled Remote Access is active with 0 online users

Status: Enabled Web Application Firewall is active, 36 requests served today

Status: Disabled Sophos UTM Manager is not configured
Status: Disabled Sophos Mobile Control is inactive

Status: Disabled HA/Cluster is inactive
Status: Enabled Antivirus is active for protocols HTTP/S, POP3
Status: Enabled Antispam is active for protocols POP3
Status: Enabled Antispyware is active




This thread was automatically locked due to age.
Parents
  • 0

    Ahoj Nejc and welcome to the UTM Community!

    It's very rare, but sometimes an Up2Date will "break" something in the configuration.  The easiest fix is to restore the backup made just before applying the last group of Up2Dates.  If you try that and still have issues, try rebooting three times.  If you still experience the same problem, try deleting the DNAT and creating a new one.  If that doesn't work, copy several backups off the UTM, re-image from ISO and restore from backup.  Did any of that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob and thank you for suggestions...

     

    i tried restoring config, rebooting, recreating nat rule.. .nothing works. :/ i do not like to re-image...

     

    interesting thing is, that none of the nat rules works, if i restart one rule (disable and reenable...) then all start to work. ??

  • 0 in reply to Nejc Menard

    What you're experiencing is very unusual - I don't recall seeing anyone else report this since I joined 12+ years ago.

    If you can tie down the time that the DNAT stops working every day, you could build a cron job to disable/enable it every day.

    To get a list of the REF_ for your NAT rules, do the following as root:

    cc get_objects packetfilter nat | grep \'ref

    One of the lines might look like 'ref' => 'REF_PacNatRdpFromAny'.  Below is the line you would use to toggle that rule off/on at 4AM daily:

    0 4 * * * root /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromAny' status 0 ; /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromAny' status 1

    I would first add that to /etc/crontab-static and then to /etc/crontab.  In that way, your cron job will be retained even if something is done to cause the configuration daemon to rebuild crontab.

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Nejc Menard

    A fellow Sophos Solution Partner in Germany emailed me about the same problem, causing me to rethink my suggested solution.

    Instead of toggling a useful rule off and on again, create a DNAT at the top that applies only to traffic coming from "Nowhere = 240.0.0.1" - an address that can't exist.  Now, we can toggle that DNAT every five minutes without disrupting a working NAT rule.  As above, add a line similar to the following line to /etc/crontab and /etc/crontab-static

    */5 * * * * root /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromNowhere' status 0 ; /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromNowhere' status 1

    Does that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Nejc Menard

    A fellow Sophos Solution Partner in Germany emailed me about the same problem, causing me to rethink my suggested solution.

    Instead of toggling a useful rule off and on again, create a DNAT at the top that applies only to traffic coming from "Nowhere = 240.0.0.1" - an address that can't exist.  Now, we can toggle that DNAT every five minutes without disrupting a working NAT rule.  As above, add a line similar to the following line to /etc/crontab and /etc/crontab-static

    */5 * * * * root /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromNowhere' status 0 ; /usr/local/bin/confd-client.plx change_object 'REF_PacNatRdpFromNowhere' status 1

    Does that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML