Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 7180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 version 9.411-3, HTTP/S DROPPED packets are never dropped but are logged as DROPS.

CarlMankinen

EDITED: BLUF, Rulz #2 you will see that the UTM "services" such as Web Proxy, WAF, DNS, DHCP, etc all take precedence over the Network Firewall rules. If you need to restrict devices from using those ports and protocols, you must do 100% of that configuration in that specific section and not in the firewall rule base. The only thing I can think regarding the fact I was seeing firewall DROPS logged was that when the config was touched it may have invalidated the stateful inspection tables causing unknown established sessions to be rejected and causing a logged dropped packet.

 

I recently saw a host on my local network that seemed to be getting past the firewall rules and I was puzzled.

I have some rules that are setup as DROP rules and others as REJECT rules.

The drop rule was logging as "DROPPED" in RED, but I was pulling HTTP pages, pinging, traceroute, etc which should NOT be happening. With NEVER any issue getting past this rule which should be stopping all traffic! The rule is simple, SOURCE->(any protocol)->ANY, DROP, LOG.  It is like nothing is actually blocked.

So I moved the rule to the very top of the rule base (it was at #5 position before and all the rules above were switched off anyway). Same result. I also made sure I was seeing all the rules and not looking at a subset. I don't have any IP ANY ANY ALLOWs above this rule. (or anywhere else for that matter)

I changed the rule from a DROP to a REJECT. and BANG, now the rule is doing something different. It seems to be intermittently rejecting, and other times passing traffic.

I changed the IP address of the network object in the rule from the windows VM that was the original system I detected this activity on and switched it to another VM that is an Ubuntu server, statically configured, etc. I then did some WGET's for a domain that I have which is parked at GoDaddy and 50% of the time I would get:
2017-03-28 22:58:44 ERROR 503: Service Unavailable.
The other 50% of the time, I would get:
HTTP request sent, awaiting response... 200 OK
And the index.html file would be served up.

Same rule!, set to always fire with no time settings.
I have no load balancing settings. A simple inside interface and outside interface.

At this point, I don't trust this firewall to be dropping packets at all. I am concerned that perhaps the firewall has been compromised in some fashion.

Has anyone else seen this were a simple rule to DROP traffic shows in the LIVE LOG as "DROPPED" but the traffic is in fact passed?



This thread was automatically locked due to age.
Parents
  • 0

    ummmm..... serious stuff as you say.

    1. Have you checked to see if there are any automatic rules applied? They generally sit above any manual rules.

    2. Are you using the web proxy as well as additional rules?

  • 0 in reply to Louis-M

    1) No automatic rules are present. (I had a DNAT rule there previously, but during troubleshooting it was the first thing I turned off and I didn't really need it active right now)

    2) Yes, I am using the web proxy in transparent mode with no authentication. 

    I am NOT using a parent proxy (chaining).

    I have a standard default base "block all content" web policy and a policy above that which blocks all sorts of stuff.

    I am able to ping as well, which shouldn't involve the webfilter/proxy.

    In my config I am using country blocking and also application filtering.

    I am going to trim the rule base down to see what happens, start turning features off, etc.

     

    Feeling very exposed right now.

  • 0 in reply to CarlMankinen

    Okay, so after turning off features one by one... I got to the WebFilter.

    When I switched the webfilter OFF, the expected behavior for the test Ubuntu VM occurs. It is unable to connect on port 80/443. 100% of the time.

    I was under the impression the installation wizard rule "Web Surfing" was required to permit HTTP/HTTPS from localnet to global via the webfilter/proxy.

    I would think the DENY HTTP/HTTPS at the top of the rule base would take precedence over that. Apparently not!

    In addition, the ICMP was enabled on the global tab, so that was letting ICMP through regardless of the DENY rule.

     

    In the past, I had a group of VM's that I wanted isolated. I put a DROP rule at the top of my rule base with those network objects in the rule. It worked previously, browser would never get a response. I discovered this because I was working on one of the VM's and a message popped that an update was available. Huh? That isn't supposed to be happening.

  • +1 in reply to CarlMankinen

    Hi, Carl - first I've seen you here - welcome to the UTM Community!

    I bet #2 in Rulz will help you understand the situation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • +1 in reply to CarlMankinen

    Hi, Carl - first I've seen you here - welcome to the UTM Community!

    I bet #2 in Rulz will help you understand the situation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Yeah, rule #2 pretty much nails it.

    It makes me think that a standard L3 firewall in front of the UTM might be a good idea. Only it's a pain if the overload/hide NAT/PAT is performed at the UTM.

    I have been using this for several years, but I always had a "trusted" and "untrusted" subnet.

    The untrusted subnet wasn't set in the "allowed networks" on any service, so it was being filtered.

    I assumed the HTTP/HTTPS firewall rules were having a part in that because the UTM automagically created a "WebSurfing" rule, etc.

     

    How does it explain the live log showing DROPPED packets though? (dropped is what I want, but perplexed why it would be PASSED by Proxy but logged as DROPPED)

    (I will read through the rest of Rulz, maybe that is rule #4...)

Unfiltered HTML