This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I Need Help Opening 2 Ports for one APP on a single workstation

Newbie question.  I am running Sophos Home UTM 9 software appliance on a server I built.  I have an app running on a single workstation that needs to communicated in and out on ports 4000 and 4001.  I set up the following rules but it doesn't seem to be enough or is misconfigured.

In Firewall rules I created

Rule 1 - Any(4/6)  --->  Workstation  TCP 4000  TCP 4001

Rule 2 - LAN  -->  Any(4/6) TCP 4000  TCP 4001

This app needs two way communication to servers hosted elsewhere and not on my network.  Currently, if I try to telnet to those servers on ports 4000 or 4001, I get "connection failed" which tells me the ports are still not open. 

This thread was automatically locked due to age.
  • Update  -   The live firwall log shows the packets being dropped.  "Default DROP    TCP    x.x.x.1  --->  x.x.x.40:4000   (Destination on remote network), so it clued me in to the fact that rule 2 may be wrong.  I changed it to Internal (Network) ---> Any(4/6) and it works now.  If this is the best, most secure way please let me know.  If this is wrong / security risk, I am open to any suggestions!!!!

    Thanks ahead of time.

  • Can you post screenshots of your Firewall rules?  BAlfson and I are pretty visual people and need to really 'see' what you have set up.  Stuck out tongue

    And, if you didn't know this when you create a port range, you can use a colon to define the range, so if you wanted to open a range between 4000 and 5000, your definition would look like 4000:5000 when entering the ports. 

    I'd be curious just to see the set up you have in UTM for simplicity's sake.  

    UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Hello JP,

    with "in and out" you mean to say, you need to access that port on the workstation from internet?

    What is lacking here, is DNAT and MASQ. If you only want to start a communication FROM the (internal) workstation TO those servers in the public internet, you don't need to open ports like in your "Rule 1". (In fact you should avoid this)

    The next thing you need in addition to "Rule 2" is a Masquerading Rule doing "NAT" like this screenshot:

    So why will this work, without opening ports for "the way back"?

    The SG-UTM is a stateful firewall and can "learn" which packets belong to the outgoing starting session and receives the answers for that session and connects them to the right (internal) target.

    If you really need to connect FROM outside to that internal workstation, you will need a DNAT-rule.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you so much Philipp!  I made the changes you suggested, and it works.  I really appreciate the help!

  • I feel dumb, but I can't find the "verify answer" button to give you credit.

Reply Children