3CX DLL-Sideloading attack: What you need to know
We have an UTM9 firewall running. The two last firewall rules are:
I want to remove the 'allow any/any' rule as it defeats previous, more specific 'allow' rules in the firewall.
Before doing that, I want to be absolutely sure that, when removing the 'allow any/any' rule, I don't lock myself out on the WebAdmin access.
I will be performing the change from a network that is in the 'Allowed Networks' in the General WebAdmin settings. Is that enough? Do these networks always have access to the WebAdmin even though there is no firewall rule that allows this traffic?
Hi Onetrail Techops,
Thank you for reaching out to the Community!
The WebAdmin access isn’t subjected to the firewall rules. If the source network is allowed under WebAdmin Access Configuration, you could access it without a firewall rule.
Allowed Networks: The Allowed Networks box lets you define the networks that should connect to the WebAdmin interface. For the sake of a smooth installation of Sophos UTM, the default is Any. This means that the WebAdmin interface can be accessed from everywhere. Change this setting to your internal network(s) as soon as possible. However, the most secure solution would be to limit the access to only one administrator PC through HTTPS. Adding a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Reference UTM help page.
Thanks for the answer!
Hoi and welcome to the UTM Community!
I would also delete your Drop Any/Any rule as that removes information from your firewall log. The built-in default drop rule will tell you which chain the packet was dropped from and will help you analyze problems. See the images at the bottom of Rulz (last updated 2021-02-16).
Cheers - Bob