Newbie question. I am running Sophos Home UTM 9 software appliance on a server I built. I have an app running on a single workstation that needs to communicated in and out on ports 4000 and 4001. I set up the following rules but it doesn't seem to be enough or is misconfigured.
In Firewall rules I created
Rule 1 - Any(4/6) ---> Workstation TCP 4000 TCP 4001
Rule 2 - LAN --> Any(4/6) TCP 4000 TCP 4001
This app needs two way communication to servers hosted elsewhere and not on my network. Currently, if I try to telnet to those servers on ports 4000 or 4001, I get "connection failed" which tells me the ports are still not open.
Update - The live firwall log shows the packets being dropped. "Default DROP TCP x.x.x.1 ---> x.x.x.40:4000 (Destination on remote network), so it clued me in to the fact that rule 2 may be wrong. I changed it to Internal (Network) ---> Any(4/6) and it works now. If this is the best, most secure way please let me know. If this is wrong / security risk, I am open to any suggestions!!!!
Thanks ahead of time.
Can you post screenshots of your Firewall rules? BAlfson and I are pretty visual people and need to really 'see' what you have set up.
And, if you didn't know this when you create a port range, you can use a colon to define the range, so if you wanted to open a range between 4000 and 5000, your definition would look like 4000:5000 when entering the ports.
I'd be curious just to see the set up you have in UTM for simplicity's sake.
UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
with "in and out" you mean to say, you need to access that port on the workstation from internet?
What is lacking here, is DNAT and MASQ. If you only want to start a communication FROM the (internal) workstation TO those servers in the public internet, you don't need to open ports like in your "Rule 1". (In fact you should avoid this)
The next thing you need in addition to "Rule 2" is a Masquerading Rule doing "NAT" like this screenshot:
So why will this work, without opening ports for "the way back"?
The SG-UTM is a stateful firewall and can "learn" which packets belong to the outgoing starting session and receives the answers for that session and connects them to the right (internal) target.
If you really need to connect FROM outside to that internal workstation, you will need a DNAT-rule.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Thank you so much Philipp! I made the changes you suggested, and it works. I really appreciate the help!
I feel dumb, but I can't find the "verify answer" button to give you credit.
I believe he has to flag it as a suggested answer. :D