Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Port Still Blocked After Rule Allowing it Added

Hi,

Our new voip desktop phone app (MaX UC / Mitel) has a chat feature that should include the ability to send over sms. It looks like it's getting blocked as below:

I have these (among others) allowed between my  LAN and my provider's server (the address getting blocked above)

443-443:49152-65535

TCP 443

Separate rules, one allowing the from provider to my lan, the other from lan to provider.

I read the section in "rulz" and still can't pin down what could be blocking this. Rule #2 lists the order in which the packet is handled, but..

  1. the connection tracker (conntrack) first - WHAT IS "CONNECTION TRACKER?"
  2. then Country Blocking - COUNTRY BLOCKING OFF AT MOMENT
  3. then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab.  The "All" service only includes TCP and UDP - none of the other IP protocols are included. THIS WOULDN'T AFFECT THIS I DON'T THINK.
  4. then Intrusion Prevention (see the images below to see that IPS actually can happen in several places but happens only once!) - I VERIFIED THE ADDRESS IS LISTED IN EXCEPTIONS FOR BOTH IN AND OUTBOUND
  5. then DNATs* - NOT RELEVENT I DON'T THINK.
  6. then VPNs - SAME. EXCEPT I DID TURN OFF SSL VPN SINCE IT'S USING 443
  7. then Proxies (except the SMTP Proxy in Transparent mode which captures traffic after it has been forwarded  by a DNAT) - NOT SURE ABOUT THIS, EXCEPT WE DO HOST OUR OWN WEBSITE BUT IT ONLY FORWARDS SPECIFIC REQUESTS GOING TO OUR "WEB ADDRESS" ADDITIONAL IP address ON OUR WAN INTERFACE
  8. then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic - THIS IS WHAT I HAVE THE RULE LISTED IN, iSN'T IT?
  9. and, finally, Application Control.

I'm stuck and lost.

Thanks,

Jeff

Parents
  • Hi Jeff,

    first: it's a "Default DROP", that means no other rule applied.

    Please show us the DROPs from the log again, ut do not obfuscate all parts of the addresses, as we are not able to see, if this is inside or outside or whatever without these infos.

    Then: show us the definition of your rule(s), you can abfuscate some part of adresses or servernames, but not everything, please. Otherwisem again, this would not make much sense to us helping hands.

    I guess your rule definition is much to "tight" for this simple purpose, but we will see

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Jeff,

    first: it's a "Default DROP", that means no other rule applied.

    Please show us the DROPs from the log again, ut do not obfuscate all parts of the addresses, as we are not able to see, if this is inside or outside or whatever without these infos.

    Then: show us the definition of your rule(s), you can abfuscate some part of adresses or servernames, but not everything, please. Otherwisem again, this would not make much sense to us helping hands.

    I guess your rule definition is much to "tight" for this simple purpose, but we will see

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data