Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 4201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading Rule allows internet access without creating a fw roule?

Mathias Pyk

 Hi, 

 

I have installed a new UTM 9.6 a couple of weeks ago and get's a little bit confused about the masquerading setup. 

I have set up the masquerading roule internal(LAN)>external(WAN) and service=ANY to allow internal devices unrestricted access to the internet. In addition to this the UTM Online Help states that "Note – You need to allow traffic from the internal network to the Internet in the firewall if you want your clients to access external servers." 

This is not necessary in my new UTM. Internet access is granted without creating the firewall rule. Should it work like this???

In the next step I create a firewall roule (at the top) to block internal(LAN)>external(WAN) service=ANY just to see if the internet access is blocked by the firewall. It isn't. Internal devices is still granted internet access through the masquerading roule. Is this behavior be correct??? 

 

BR

Mathias Pyk



This thread was automatically locked due to age.
  • 0

    Post a pic of your masq rule.  I don't have any service entries in mine.  Perhaps you're thinking of a NAT rule?

     

    As for internet access, how are you testing?  If you're testing via http/https and have web filtering enabled, then that's taking precedence over packet filtering (firewall).  I'm sure Bob will be around shortly with a reference to one of his rulz.... Here's the link  community.sophos.com/.../rulz

  • 0

    Halloj Mathias and welcome to the UTM Community!

    Yes, as Jay said, you will want to consult #2 in Rulz (last updated 2019-04-17).  Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture.

    If you still need help, please post pictures of the Edits of the rules you're concerned about.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Jay Jay

    Hi Jay Jay, 

     

    Thanks for the reply. My masquerading roule is of corse without the service option just like yours, my bad :-( 

    I'm testing via http/https and yes I have web filtering active but for this test the specific interface/network is not included in the allowed networks list. 

    I have been reading the "rulz" #2 and suppose the the explanation is in there in other words than I can connect to the maquerading rule. (I'm a home user with no advanced network experience) 

    This seems to be a normal behavior for UTM and the main reason for me to create this post was to make sure that I didn't have a bricked install or a faulty configuration/setup making it not working as expected... 

     

    BR

    Mathias Pyk

  • 0 in reply to BAlfson

    Halloj Bob! 

     

    Thanks, and I think I got the answer I need to stay assured that my firewall is working as expected :-) 

     

    BR

    Mathias Pyk

  • 0 in reply to Mathias Pyk

    I've been chasing my tail all day trying to figure out how to secure yet allow voip rtp data with my new provider.  Unlike the old, which proxied the media, the new uses direct media. This means rtp traffic can come from any ip.  The voip helper doesn't help.  In fact it breaks the audio.  So far the best I could come up with was to allocate a small range of udp ports (100) in the pbx, then port forward (dnat).

    As you use the software more you'll discover there are sometimes more than one way to achieve a similar result.

    The point from the rulz is that packets are only processed by the firewall if some other proxy doesn't process them first. A bit of an implication.  I'm going on about 18 months with utm and am still learning and confused at times.

Unfiltered HTML