Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 2003 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule bound to specific interface

rbremer

Dear Community

I am faced with a specific issue regarding firewall rules. By default, you can only filter IP networks/ranges, which is fairly sufficient in most cases. However, we need to filter out certain IP ranges coming from in on two interfaces, while allowing them coming in from other interfaces.

There is the global spoofing option, which somehow is supposed to do something in that area, however, it cannot be configured and only reacts to IP networks bound to the interfaces of the UTM.

What would the best option to do this?

Thank you,
Ronny



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Ronny,

    I'm not sure I understand how traffic from the Internet might relate to spoofing based on the WAN connection it arrives on, but have you tried binding a separate network definition for each interface bound to that interface and then making firewall rules with them?  Please let us know if that does what you want.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    That’s an interesting idea. So I create a network object for each network to block, bound to the two inbound interfaces and then assign the firewall rule as a block from those objects to any/any. I will try that and let you know.

    Yours,

    Ronny

  • 0 in reply to rbremer

    A different Network definition for each subnet and each interface, bound to that interface.  If there were just one subnet and two interfaces, you would have two different Network objects.  Now you can make a Block firewall rule for the "wrong" interface and an Allow rule.  Or, a blackhole DNAT for the wrong interface and a regular DNAT for the right interface - not sure exactly what it is we're taking about.

    In fact, maybe all you need is a single Network definition and a blackhole DNAT for the "wrong" WAN interface - see #2 in Rulz (last updated 2019-04-17).

    Cheers und fG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    the creation of interface-bound network seems to be working exactly as you specified. Some more testing is needed over the weekend, but it looks very promising so far.

    Just a few caveats:

    - interface bound definitions (of course) can only be configured locally on each device, SUM does not support that

    - which means we need to change all firewall profiles from "before local rules" to "behind local rules", which, thanks to some ingenious software design choice, we can't do. So we have to clone and redeploy the rulesets.

    - Unfortunately, controlling will not like that because it would allow the local FW admin to add rules overriding the default rule sets

    You asked for a bit more info on why this whole thing might be necessary. Apparently and not surprisingly you can spoof TCP sender addresses reaching through your firewall. I know Sophos UTM is providing this little drop down box for Spoof Protection, but it only blocks spoofed traffic from the networks "directly" bound to the UTM, not networks learned via OSPF or which are behind other routers.

    A much better solution would be to allow the drop down box to be customized, just like for IPS, with the list of networks to block as spoofed.

    Or to provide a firewall rule which allows to specify the source and target interface, which would need to be SUMable.

    Anyway, I will give you more feedback after the weekend.


    Yours,
    Ronny

Reply
  • 0 in reply to BAlfson

    Hi Bob

    the creation of interface-bound network seems to be working exactly as you specified. Some more testing is needed over the weekend, but it looks very promising so far.

    Just a few caveats:

    - interface bound definitions (of course) can only be configured locally on each device, SUM does not support that

    - which means we need to change all firewall profiles from "before local rules" to "behind local rules", which, thanks to some ingenious software design choice, we can't do. So we have to clone and redeploy the rulesets.

    - Unfortunately, controlling will not like that because it would allow the local FW admin to add rules overriding the default rule sets

    You asked for a bit more info on why this whole thing might be necessary. Apparently and not surprisingly you can spoof TCP sender addresses reaching through your firewall. I know Sophos UTM is providing this little drop down box for Spoof Protection, but it only blocks spoofed traffic from the networks "directly" bound to the UTM, not networks learned via OSPF or which are behind other routers.

    A much better solution would be to allow the drop down box to be customized, just like for IPS, with the list of networks to block as spoofed.

    Or to provide a firewall rule which allows to specify the source and target interface, which would need to be SUMable.

    Anyway, I will give you more feedback after the weekend.


    Yours,
    Ronny

Children
No Data
Unfiltered HTML