Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 5 subscribers
  • Views 4194 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default behavior - allow all or block all?

ecar13

I have probably the most basic firewall question:

I have 10 interfaces (private subnets) on my UTM. Let's call then 'Internal Network A', 'Internal Network B', Internal Network C', etc.

And I have 1 Internet interface.

 

In UTM there is a built-in object named "Internet IPv4". As the name implies it seems logical that this object means "access to the Internet"

 

I create an SNAT rule which allows everything on 'Internal Network A' to be able to access the Internet, over Any port.

Rule works, and users on that internal network can get to the Internet.

But then I discover that Internal Network A also now has access to Internal Network B. Huh? Why is that? OK, so I create a rule that explicitly DENIES access to Int Network B from Int Network A.  That doesn't work. Users on A can still access stuff on B.

Turns out, when I created the SNAT rule it also created an automatic firewall rule...
   Source: Internal Network A
   Services: Any
   Destinations: Internet IPv4

Which still seems fine. However it appears "Internet IPv4" really means "the Internet plus all other networks".

 

Is there an object in UTM that really does mean 'Internet Only" that I should have used in my SNAT rule (and consequently in the automatic firewall rule)?

If not then the only option is to:

1. Delete the automatic firewall rule

2. Create a new rule that explicitly blocks traffic from Internal Network A to all other Internal networks

3. Followed by a rule that allows full access from Internal Network A to Internet v4



This thread was automatically locked due to age.
Parents
  • 0

    "But then I discover that Internal Network A also now has access to Internal Network B."

    How did you determine that?  Check #2 in Rulz (last updated 2019-04-17) to understand why some traffic gets through before hitting a Default Drop firewall rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    "But then I discover that Internal Network A also now has access to Internal Network B."

    How did you determine that?  Check #2 in Rulz (last updated 2019-04-17) to understand why some traffic gets through before hitting a Default Drop firewall rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    When I first discovered that a computer in Internal Network A could access the web page of a device in Internal Network B I logged in and went to Network Protection > Firewall to see if I (or someone) had accidentally created a rule that allows traffic from A to B. I could not find any rule.

    So I opened a support ticket with Sophos support, and a few days later they replied back with this:

     

    After reviewing the current firewall rules, it looks like there is an automatically created firewall rule (rule ID 18) that was created due to an SNAT rule (NAT rule ID 6) which is above your user created firewall rule denying access.

    You should be able to resolve this issue by deleting the automatically created rule and creating a user rule (with that same parameters) below your deny rule.

     

     

    This is surprising to me because I always thought "Internet IPv4" meant Internet.

    And as emmo mentiioned above I confirmed that the object "Internet IPv4" is bound to the WAN interface.

     

    So this all leads me to question the reply I got above, and prompted this community post.

  • 0 in reply to ecar13

    The Sophos Support engineer is off base.

    As I said above, the answer is in #2 of Rulz (last updated 2019-04-17).  You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML