Issues with Amazon Echo and Sophos, Quick question.

The rule above does what it says on the tin. It allows access from you internal network to any network on the internet using any service.

That's it. It does not allow anybody from outside to initiate a connection to anything on you internal network. It's basically the same as what most consumer routers do for ease of use.

Now, the only issue with the rule is that if you get malware on your internal network eg via email or a download, that rule will apply to the malware. Once activated, it will be allowed to communicate to anything on the internet. Once it has established a connection outbound, the peer at the other end will be allowed to connect inbound.

It sounds as though you are new to all of this and you are asking some very valid questions with regards to security which mostly go over people's heads. I imagine you will start tinkering with this and have a bit of fun so the golden rule with firewall rules is:

The rules are queried from a top down position ie it will try rule 1, then rule 2, then rule 3 etc. The important bit - It will keep going to it matches a rule and then stop and will not query the rules anymore. If no rule is matched, it gets to the bottom of the rule list which normally has an explicit deny rule ie the packets get dropped which results in no connection.

So in you above example, it you new rule is at the top, it doesn't matter if you put a tighter rule underneath as the first one will match.

Now, you can put a rule above that eg internal > http > internet. Now everything on you internal lan using http will work with the this rule.
Will it block the other traffic? NO, because anything using https for example will not match the first rule but will then try the 2nd rule ie internal > any > internet and will then match that. If you disable this rule (by using the slider), you will then find that all other traffic will be blocked.
WHY? Because it has tried the first rule and has no match and then finally gets to the bottom and hits the implicit deny rule.

If you grasp this concept, you will have great fun with FW rules although they can get complicated as you build them.

Please remember that as you enable other features on the UTM eg web proxy, that they can have a bearing on what is allowed through eg web traffic flows but no FW rule to allow it.

The is also a thread on this forum that is called RULZ which people have taken a long time and effort to put together. It is an extremely valid piece of information with regard to the UTM and my advice would be to read it and then read it again. It will make your life so much easier if you are aware of what I call the UTM gotcha's......

Have a great time with the UTM and remember it can be as complicated or as simple as you want. Strive for the latter to achieve the former.

Thanks for your replies, this makes so much sense. Your replies surely motivates me to look deeper into network security with passion and dedication rather than an urge to follow the crowd and install/setup layers without understanding them.

I really want to tighten this one rule I have created for the Amazon Echo to work.

I was thinking, if there is a way where i could find the logs or packets that amazon echo sends and receives each time i ask the echo for timers, alarms and other generic questions.

This way, i can just allow only those protocols and packets to be allowed out and inside of the network?

Can if you or anyone else here can help me find/locate where i can get that data, i can just post some screenshots or logs only for the amazon echo traffic, and let me know on how i can go about just enabling those rules/packets, it be great. This way i can disable the previously created generic rule.

I am sure other members here coming in the future with similar issues will find these tips when looking online here on the forum useful as well.

There are a raft of logs within the UTM eg firewall, web protection etc depending on how you have set it up.

With regards to where the echo is going, I suspect that you may find that not as straight forward as you thing as it will probably go to multiple addresses on multiple ports.

Yes, it could be locked down but it might take a little effort eg echo > echo ports > echo sites

If you are using just the firewall, click into that and you will find "Open live log" near the top. Open that, make your connection on the echo and watch the logs. You might have to enable "log this connection" in your firewall rule as the UTM will only log blocked connections until told otherwise.

If using web protection ie the web proxy, you need to click in there and open that log and then use your echo to see where it's hitting.

Alternatively (and the best way) is to ssh into the UTM and use tcpdump with the echo ip as the source. It's a more advanced way but it's much cleaner and will give you the info you want.

There are a raft of logs within the UTM eg firewall, web protection etc depending on how you have set it up.

With regards to where the echo is going, I suspect that you may find that not as straight forward as you thing as it will probably go to multiple addresses on multiple ports.

Yes, it could be locked down but it might take a little effort eg echo > echo ports > echo sites

If you are using just the firewall, click into that and you will find "Open live log" near the top. Open that, make your connection on the echo and watch the logs. You might have to enable "log this connection" in your firewall rule as the UTM will only log blocked connections until told otherwise.

If using web protection ie the web proxy, you need to click in there and open that log and then use your echo to see where it's hitting.

Alternatively (and the best way) is to ssh into the UTM and use tcpdump with the echo ip as the source. It's a more advanced way but it's much cleaner and will give you the info you want.