This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF doing unwanted SNAT

I am running 8.309, and running a web server behind a Web Application Firewall.

The web server has its own firewall as well, and I want it to be able to select based on the source address.

Unfortunately, the WAF changes the source address to that of the interface in the Astaro that faces the real web server (192.168.x.x). This is the SNAT mentioned in the title. It stops me seeing the real source address, so I cannot do what I need to do.

I have checked "Pass Host Header" in the definition of the Virtual Web Server, but that does not seem to do what I would expect.

Why is the Astaro doing this? I assume it does not have to.

Is there anything I can do?

Does V9 behave differently? I cannot see anything in the documentation which would indicate a difference.

This thread was automatically locked due to age.

0 Scott_Klassen over 11 years ago

WAF is a proxy, so it will re-address. The original IP will be added into the HTTP_X_FORWARDED_FOR header, which is where your web server needs to look for this information.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

Scott's implication is that the firewall of the web servver can't be used to do what you want. If you want to drop some traffic to the webserver, you'll need to DNAT it to nowhere before it gets to the proxy. I say a DNAT instead of a Firewall rule because of what I call Rule #2:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 peterkieser over 11 years ago

If you're running Apache, you can use mod_rpaf in Apache 2.2 or mod_realip in Apache 2.4.

For IIS see http://www.sf-tools.net/Messaging/tabid/55/EntryId/136/Log-Client-IP-Address-With-Custom-Http-Header.aspx
Cancel
Vote Up 0 Vote Down

Cancel
0 mmather over 11 years ago in reply to Scott_Klassen

WAF is a proxy, so it will re-address.

Why does it have to re-address?
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Because it's a proxy; it's just how they work.

If you can't live with that, turn off the WAF and use DNAT.
You'll lose the WAF filtering but will still get some protection via the IPS.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 mmather over 11 years ago

OK, so why does it have to be a proxy?

And now I realise I need to know precisely what WAF filtering does.

Oh, and is it possible that versions before UTM 9.0 don't put the original address in HTTP_X_FORWARDED_FOR? We're running 8.309 and didn't find it.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

It blocks attack patterns within the HTTP protocol layer.

Astaro is using Mod_Security, there is more information at
ModSecurity: Open Source Web Application Firewall - ModSecurity: Overview

I'm not sure which versions of ASG have HTTP_X_FORWARDED_FOR.
Where did you look for it? I'd recommend using a sniffer such as ngrep.

Barry
Cancel
Vote Up 0 Vote Down

Cancel