Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 28396 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver protection vs Firewall nat rules

nf
I was only successful using the webserver protection option to setup an internal webserver with its own external static ip address. For some reason using various NAT rules/firewall rules I couldn't succeed. Very basic setup, is that the only way to setup webservers?

my example:  firewall external  ip address  xx.***.***.5
webserver via external:  xx.***.***.6
used dnat rules to take traffic from any, using http, to external (.6) change dest to internal webserver, service to http

also, noticed that using webserver protection doesn't create any firewall rules?


This thread was automatically locked due to age.
  • 0
    Check #3 through #5 in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    must be missing something since I went through rules 3-5 and everything looks fine. I do see it passing though fine in the firewall log?  .251 being my external ip address for the webserver.

    09:17:08  NAT rule #2  TCP    
    70.192.2.180  :  9499
    → 
    66.210.118.251  :  80
      
    [SYN]  len=64  ttl=44  tos=0x00  srcmac=0:24:c4:5e:2e:89  dstmac=0:1a:8c:50:18:25
  • 0
    I guess I don't understand your original complaint/question.  Maybe #2 in Rulz addresses it? 

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    maybe this will explain it better. If I use webserver protection in the utm and setup the virtual webserver and the real webserver. I can communicate with my internal webserver through a static ipaddress/external DNS..everything works fine. If I don't use that option and try to use nat and firewall rules, I see the packets getting to the internal webserver from the outside but no return traffic
  • 0 in reply to BAlfson
    maybe this will explain it better. If I use webserver protection in the utm and setup the virtual webserver and the real webserver. I can communicate with my internal webserver through a static ipaddress/external DNS..everything works fine. If I don't use that option and try to use nat and firewall rules, I see the packets getting to the internal webserver from the outside but no return traffic
  • 0
    Are you testing from inside the UTM?

    Testing the DNAT'd external IP from a devices behind the same network won't work. DNAT just changes the destination IP, not the source, so the webserver will broadcast the reply directly back to the client device. Because the client was expecting a reply from the public IP, not the server, the server's reply get's rejected.

    WAF may behave differently in that regards, something Bob or another expert can confirm.
  • 0 in reply to TheDrew
    actually testing from my phone and a laptop on a hotspot. yeah, I know the existing cisco Pix behaves the same when testing.
  • 0
    actually testing from my phone and a laptop on a hotspot. yeah, I know the existing cisco Pix behaves the same when testing.


    That's a common enough problem when testing NAT's. If you were interested in doing that, you'd setup a second Full NAT, that changes both source and destination IP's in one shot. You lose any value from logging as the internal connections show as the firewall but if basic stats is all you need, then it's not a concern.
  • +1

    Not sure that I can help with your question, but I can strongly recommend that you put a WAF in front of every website published to the internet.  

    If someone creates a bogus reply to your web site, sending 500 text characters instead of the five digits that you are expecting for a US postal zipcode:

    • Will your application handle the attack?  
    • Will your webserver do something crazy before your application even sees the attack?  
    • Do you have any idea how to test for this type of attack?

    The answer to all three are probably "I don't know and I don't want to find out by surprise."  

    WAF is the defense that saves you from these types of attacks.

    Test your WAF configuration to ensure it is locked down as tightly as possible without breaking something.  In case you have not seen this elsewhere my process is:

    • Set defense mode to Monitor.
    • Test with known-good traffic.
    • Export the logs and review for problems.
    • Fix the problems and retest until it comes out clean.
    • One thing to look for when rigid filtering is enabled:  look for rule ID numbers in square braces [90210].   Add these to the strict filter rule exception list., because they represent false positives.
    • When the test come back with no false positives, switch the firewall mode to block bad traffic 

     

    Then I suggest that you declare success and move on to a different problem.

  • 0 in reply to DouglasFoster

    Excellent suggestions, Doug - thanks!

    Your final point is excellent advice.  I've had two clients get bogged down in getting WAF going.  In both cases, it was because Marketing had higher priority than Security when it came to getting changes made by the web developer.  Using your approach at least would have gotten them some protection.  Some false-positives are harmless, but I think I'd get a list of some of the disabled rules to someone that could get the developer to change the code so that that protection could be enabled.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML