This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec traffic routed to IPsec tunnel and Firewall Rules

Hi there all,

I'm trying to understand the relationship between IPsec tunnels and Firewall rules.
Here is what I've got:

SITE-A <--ipsec--> SITE-B <--ipsec--> SITE-C
4x /24 1x /24 1x /24

Onto the ipsec setup, everything works fine, every SA's are established, routing is fine, all good.

Now for example, from SITE-C, if I initiate an ICMP session towards the /24 in SITE-A, ICMP packets goes through. Same would apply to any services, I've tested with administrative services and simple HTTP.

Now, what bug's me is that It doesn't make any differences if Firewall policies are there or not (Automatic Firewall Rules on ipsec are disabled.).

In my example above, On the SITE-C UTM, I've got a FW policy in place from SITE-A/24 to SITE-C/4x/24. Although, the reverse policy is NOT in place. Still, from a host in SITE-C I can reach anything in SITE-A and this without, hum, any Firewall policy.

Is there anything I'm missing here?
Thanks



This thread was automatically locked due to age.
Parents
  • Hi there Hpatel,

    Yes, pretty much this is my situation.. there are no firewall rules allowing traffic from SITE-C to SITE-A, this at SITE-C.
    The reverse policy is set and enabled, SITE-A to SITE-C at SITE-C. Although, my understanding is that the sessions initiated from SITE-A will be granted return traffic with this policy in place, though, sessions initiated from SITE-C to SITE-A should not pass..

    Would you mean a tcpdump trace?

    Thanks,
    m.

  • Hi there,

    So it turns out I've been misled by the global firewall ICMP settings, which seems to override potential firewall policies.

    Indeed the firewalling policies are in effect and I could monitor both "Packet accepted" and "Packet dropped" reflecting the enable/disable policies status while gathering the packetfilter.log file:

    tail -f /var/log/packetfilter.log | grep xx.xx.xx.xx

    Thanks, 
    Regards,
    m.

  • Hallo M,

    You might be interested in #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for that, I would say that this shall be integrated within the offical UMT docs. Other vendors propose such things as "Life of a Packet". Which i see as essential in troubleshooting situations.

Reply Children
No Data