Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 4 subscribers
  • Views 17949 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ICMP Settings Question

BradBoudreaux

I'm having an issue that is kind of stumping me. I installed Sophos UTM and have been using it for some time now. The one thing I can't get to work is this:

How can I allow pings on my internal interface while denying them on my external interface. For various reasons I need my internal interface to be pingable. The only way it seems to accomplish this is by going to the ICMP settings, and turning on "Allow ICMP on gateway" or "Gateway is ping visible". The drawback is that this also allows pinging on my external interface which I do not want. The ICMP settings seem to take precedents over any Firewall rules so any rules I put in place had no effect. I also followed some instructions in a Sophos Board about disabling the ICMP settings by typing in "cc set icmp secure 0" at the command line. This didn't seem to have any effect. So how would I accomplish this?

I'd also like to say I have a pretty deep understanding of networking as it's what I do for a living. I mostly deal with Cisco, ASA, and Fortinets.

Would appreciate any help.



This thread was automatically locked due to age.
  • 0
    Hi, Brad, and welcome to the UTM Community.

    Just uncheck the selections on the 'ICMP' tab and make your own Firewall Allow rules. Traffic not explicitly allowed will be dropped by default.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I've done that. When all the ICMP settings are turned off, I've even put in a rule at the very top of the firewall Allowing Any Any Any. Upon pinging my internal interface, I still get "Default" drops.
  • 0
    The Any service definition isn't really all, it's more like most. Doesn't cover ICMP. Create your own custom service definitions in a group for ICMP and use that instead.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thanks for the help, but I still can't get this to work. I've added custom definitions for every ICMP type and allowed it in the firewall with logging. When pinging the internal interface, I'm still getting Default Drops. As stated before, all the ICMP settings are turned off on the ICMP page.
  • 0 in reply to BradBoudreaux
    Show us a line from the Firewall log file (not the Live Log!) with a drop of one of your pings.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Sure.

    2016:02:06-14:44:32 SOPHOS01 ulogd[30800]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="MACADDRESS" dstmac="MACADDRESS" srcip="XXX.XXX.XXX.156" dstip="XXX.XXX.XXX.190" proto="1" length="60" tos="0x00" prec="0x00" ttl="128" type="8" code="0"

    I edited out the MACaddress and the subnet.

    .156 is a computer on the LAN I'm pinging from.
    .190 is internal interface on the Sophos.
  • 0 in reply to BradBoudreaux

    proto="1" type="8" code="0"

    So, you have a "Ping Request" Service definition of 'Type' ICMP and 'Type/Code' of [T08/C00]? Do you have a firewall rule like 'Internal (Network) -> Ping Request -> Internal (Address) : Allow'? Do you get what you want when those two are in place?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yes. All ICMP settings are turned off under the ICMP tab.
    I have a custom Service Definition with ICMP code T00/C00.
    I have a rule at the top of the firewall stating: Internal (network) -> Custom Ping Service Def/Log/Allow -> Internal Address.

    Same results as before.

    2016:02:06-17:00:39 BTBSOPHOS01 ulogd[30800]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="MACaddress" dstmac="MACAddress" srcip="XXX.XXX.XXX.156" dstip="XXX.XXX.XXX.190" proto="1" length="60" tos="0x00" prec="0x00" ttl="128" type="8" code="0"
  • 0 in reply to BradBoudreaux
    Arghh! I meant [T08/C00] and have corrected that part of my post.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Wow! It works now! Thanks so much. I've been banging my head against a wall on that one for a while. I didn't have the right ICMP defined.

    Also, does "Any" not really mean "Any"?

    I put Internal Nework-> ICMPT08/C00:Allow -> Any and it doesn't work. But if I define Internal Interface it does.

    Also if I choose to Log traffic, the live log doesn't seem to show it Allowing.

    I'm not too concerned about those things, just glad it's working now. Thanks again!
Unfiltered HTML