Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 3305 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop any rule is not working

philippehector

Dear community,

I have a problem making some drop rules working as expected.

It actually drops all protocols (i tried to telnet some random ports, and i can see my drop rule popping in the firewall log) but HTTP/HTTPS

packet blocked:

The rules are :

Basically, i've created a network group containing a bunch of forbidden IP addresses. All traffic coming from or going to those destinations must be dropped and the call must be logged in the firewall event log.

A i said, when i try to reach any of those addresses on ports 443/80, packets are not dropped.

We use a transparent proxy managed by the UTM, and the only way to really block the HTTP/HTTPS outgoing access to those IP is to create an object in the blacklist. Absolutely not manageable for hundreds of IP addresses...

Does the transparent proxy bypass the firewall rules concerning HTTP/HTTPS protocol ? It would be quite... unsecure.

How can i prevent reaching those destinations out over this 2 damn ports ?

thank you for your help



This thread was automatically locked due to age.
Parents
  • 0

    Salut Philippe,

    Rather than firewall rules to create drops, you need DNATs - see #2 and #4 in Rulz (last updated 2019-04-17).  If you are in Transparent mode, I would expect the DNATs to take priority over the Proxy.  If you try that and it doesn't blackhole the HTTP/S request, please let us know.  I would make the two rules like the following:

    DNAT : Internal (Network) -> Any -> Blocked IP : to {240.0.0.1}
    DNAT : Blocked IP -> Any -> External (Address) : to {240.0.0.1}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Salut Philippe,

    Rather than firewall rules to create drops, you need DNATs - see #2 and #4 in Rulz (last updated 2019-04-17).  If you are in Transparent mode, I would expect the DNATs to take priority over the Proxy.  If you try that and it doesn't blackhole the HTTP/S request, please let us know.  I would make the two rules like the following:

    DNAT : Internal (Network) -> Any -> Blocked IP : to {240.0.0.1}
    DNAT : Blocked IP -> Any -> External (Address) : to {240.0.0.1}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML