Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 26900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New interface and how to block traffic from lan

Edgar_Quintana

Hi,

 

Internal LAN is 192.168.157.0/24 and the new interface added is 192.168.158.0/24.

Our Sophos SG 125 has 192.168.157.70 ip

I´d like to block all traffic between LAN and   192.168.158.0/24 but the existing rule rejecting all traffic does not work ping, telnet and more is allowed

 

Why this situation?

 

Regards



This thread was automatically locked due to age.
Parents
  • 0

    Check out my Architecture document in the Wiki section.

    Generally, the proxies are good at content and reputation filtering, and the firewall layer is good at source-destination filtering, but traffic never flows through both.  Filters applied at the proxy level only apply to that particular proxy, so proxy-level blocks cannot ensure a global block.   The workaround is to create DNAT rules to create an approximation of firewall:

    • source-actual_destination to allow
    • source-deadend_destination to block

    The deadend destination either needs to be a non-existent address, such as an unused IP in your DMZ address range, or an inherently-unreachable address.   For example, if you are using only 192.168.*.* internally, then routing unwanted traffic to 172.16.31.1 should create an inherently-unreachable deadend.  My testing indicates that UTM responds to 127.0.0.*, so loopback addresses do not seem appropriate for the deadend address.

    Country blocking is also applied globally, but I have not yet figured out all of the details for Country Blocking Exceptions.   They at least apply to Firewall, and may apply to WAF.   For WebFiltering, you need to configure a URL-checking exception in WebFiltering to achieve the effect of the Country Blocking Exception, because the country blocking exceptions are ignored by the Web Filter proxy.

Reply
  • 0

    Check out my Architecture document in the Wiki section.

    Generally, the proxies are good at content and reputation filtering, and the firewall layer is good at source-destination filtering, but traffic never flows through both.  Filters applied at the proxy level only apply to that particular proxy, so proxy-level blocks cannot ensure a global block.   The workaround is to create DNAT rules to create an approximation of firewall:

    • source-actual_destination to allow
    • source-deadend_destination to block

    The deadend destination either needs to be a non-existent address, such as an unused IP in your DMZ address range, or an inherently-unreachable address.   For example, if you are using only 192.168.*.* internally, then routing unwanted traffic to 172.16.31.1 should create an inherently-unreachable deadend.  My testing indicates that UTM responds to 127.0.0.*, so loopback addresses do not seem appropriate for the deadend address.

    Country blocking is also applied globally, but I have not yet figured out all of the details for Country Blocking Exceptions.   They at least apply to Firewall, and may apply to WAF.   For WebFiltering, you need to configure a URL-checking exception in WebFiltering to achieve the effect of the Country Blocking Exception, because the country blocking exceptions are ignored by the Web Filter proxy.

Children
No Data
Unfiltered HTML