Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 9447 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal webserver, public IP, connection refused.

TimothyTrace

Greetings. I have a public webserver (II7) behind my UTM, and I want my workstations to access it using the public IP.

In other words, a workstation in 192.168.100.0/24 will request "dorothyrocks.com," and it will get the public IP from the public name servers after recursing through my UTM and my edge firewall. The HTTP GET will then exit the UTM via the Web Filter, pass outbound through my edge firewall, turn around and come back in.

Unfortunately, the browser displays this error if web filtering is engaged (with no HTTP/s outbound packet filter rule) ...

...and this message if web filtering is switched off and an HTTP/s outbound packet filter rule engaged.

This is from the web filter log ...

  • 2016:09:28-23:39:02 utm-tcs01 httpproxy[23962]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.51" dstip="68.184.221.104" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2614" request="0x136d9200" url="http://dorothyrocks.com/" referer="" error="Connection refused" authtime="0" dnstime="817" cattime="388" avscantime="0" fullreqtime="4045" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" country="United States"
  • 2016:09:28-23:39:02 utm-tcs01 httpproxy[23962]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.51" dstip="68.184.221.104" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2625" request="0x136d8c00" url="dorothyrocks.com/favicon.ico" referer="http://dorothyrocks.com/" error="Connection refused" authtime="0" dnstime="4604" cattime="438" avscantime="0" fullreqtime="8034" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" country="United States"

...and I don't see anything in the WAF or firewall logs which correspond to these requests.

This is from the inside interface of my edge router...192.168.65.253 is the UTM external interface....

root@rte:~# tcpdump -qnt -i eth1.65 host 68.184.221.104
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.65, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.65.253.47673 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47673: tcp 0
IP 192.168.65.253.47674 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47674: tcp 0
IP 192.168.65.253.47676 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47676: tcp 0
IP 192.168.65.253.47677 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47677: tcp 0

....and this is from the UTM external interface...

utm-tcs01:/root # tcpdump -qnt -i eth1.65 host 68.184.221.104
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.65, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.65.253.47807 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47807: tcp 0
IP 192.168.65.253.47808 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47808: tcp 0
IP 192.168.65.253.47809 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47809: tcp 0
IP 192.168.65.253.47810 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.65.253.47810: tcp 0

...and this is the UTM internal interace...

utm-tcs01:/root # tcpdump -qnt -i eth0.99 host 68.184.221.104
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.99, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60518: tcp 0
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60519: tcp 0
IP 192.168.100.51.60520 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60520: tcp 0
IP 192.168.100.51.60520 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 400
IP 68.184.221.104.80 > 192.168.100.51.60518: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60518: tcp 1460
IP 68.184.221.104.80 > 192.168.100.51.60518: tcp 1373
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60518: tcp 0
IP 192.168.100.51.60518 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 362
IP 68.184.221.104.80 > 192.168.100.51.60519: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60519: tcp 1460
IP 68.184.221.104.80 > 192.168.100.51.60519: tcp 1384
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 0
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 0
IP 68.184.221.104.80 > 192.168.100.51.60519: tcp 0
IP 192.168.100.51.60519 > 68.184.221.104.80: tcp 0

I guess I could work around the problem by using a split-brain DNS. It would probably make good sense to do so, but first I want to learn ...

What's going on here?

Oh, before I forget, IPS and ATP are disabled for the moment.

Thank you :)



This thread was automatically locked due to age.
  • 0

    Hi Timonthy,

    Convert the DNAT defined to host the web server into a Full NAT. I see web protection blocks the request, define the FQDN in the transparent mode skip list in the MISC tab of filter options.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you Sachin. I'm confused. I haven't defined a DNAT, I've used the WAF. Are you saying to remove the WAF configuration for this website and replace it with a DNAT?

    Which host/FQDN would go in which of the two transparent mode skip lists?

  • 0 in reply to TimothyTrace

    Hi Timothy,

    Apologies, I misunderstood your question initially. I interpreted that you have hosted the web server externally through dNAT. Provide me sometime to update you further on this post.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you, Sachin, but I have no update - I'm asking for help [:S]

  • 0 in reply to TimothyTrace

    2016:09:28-23:39:02 utm-tcs01 httpproxy[23962]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.51" dstip="68.184.221.104" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2614" request="0x136d9200" url="http://dorothyrocks.com/" referer="" error="Connection refused" authtime="0" dnstime="817" cattime="388" avscantime="0" fullreqtime="4045" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States" country="United States"

    The log line states that the website is blocked via Default Web Filter profile as the reputation of the website is unverified. You can either configure an exception for the URL or uncheck the reputation option in filter action. PFA screenshot:

    Alongside, if you do not want to use split DNS how about adding a static entry for the hostname on UTM. Any help with that?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you, again.

    I discovered how to add static DNS entries for single hostnames. Thank you for offering ;)   This is the way I will solve the problem.

    However .... as to your advice for configuring an exception ..... if I understand the routing correctly, only the Default Web Filter Profile is in play at this time, and it uses the Default content filter action, which seems to be wide open ... and the "Block websites with a reputation below a threshold of" has never been checked. If I'm correct in this, then there remains strangeness which I do not understand. Any suggestions?

Unfiltered HTML