DIY Firewall: Sophos UTM: The Basics

By YellowOnline on Saturday 7 November 2015 14:05 - Comments (15)
Categories: Hardware, Networking, Views: 20.509

Warner Bros extorted €1 000 from me a while ago because of a 3 second upload of Vampire Diaries - that rubbish, of all things ... - from my network. If I wouldn't pay, they threatened to sue me into bankruptcy for the rest of my life with their army of lawyers.

I hope to have my revenge on them, or at least on the bloodhound lawyers they send to me, one day; but in the meantime I just want to avoid this very unfortunate episode from happening again.

Looking for a way to block torrents on my network, that includes myself, my visitors and most of my neighbours, I decided to install a real firewall.

Firewalls are expensive. We're not talking about a software application blocking traffic on specific ports on your computer, but about a dedicated hardware device capable of analyzing in real time all traffic going over it. Most of these devices cost upwards from €500 or even €10 000+, depending whether you need a SOHO product or a full-blown enterprise level firewall. And all of this needs an expensive yearly license on top of the hardware

So what options do "prosumers" have? Well, the Sophos UTM seems to fill that gap. Sophos sells its own hardware for the SOHO market, but made the software free to download plus gives you a full license for up to 50 users for free. That also includes their antivirus for up to 12 users.

Basically, you can build your own hardware, install their image and have a professional, highly customizable firewall with free antivirus on top of it for free. I'm skeptical about altruism from big companies, so I wonder what their long-term strategy is. Getting a bigger share of the market? Anyway, for the time being, this is an unbeatable deal. For protecting my own 5 devices plus server with ESET I paid €200 last year - the server license is 75% of that price. For half the price in hardware as a one-time investment, I've got a lot more bang for my bucks now.

A short overview of its advantages and disadvantages:

Positive
  • Full network control
  • Options galore, including your own VPN
  • Dirt-cheap
  • Very documented and community-supported (Astaro forums)
Negative
  • You'll need to be knowledgeable about networking or at least ready to invest time in it
  • Expect a performance hit, depending on hardware
  • Wifi not directly manageable, except if you use Sophos Wifi (€€€) - but you can just connect an AP of course
Talking about hardware: the hardware you need for your own UTM can be as heavy as you make it. I kept mine light for both financial and ecological reasons; and because I seldom expect more than 10 concurrent users. Still, a minimal machine will cost you about €300 in parts. Fortunately, I found a great deal on e-bay.

More on my hardware and a step by step guide for getting the Sophos UTM's basic functions working right away. Before continuing, however, be aware that this page contains about 50 (resized) screenshots and you might consider twice before opening it on your mobile phone. :)





I. HARDWARE

So, first the hardware. This is not a guide, just a quick introduction to what I use. Most people use a virtualized UTM on ESX by the way, so you can consider that if you don't want to invest money in hardware.

When I started looking to build my own system, I was quickly disappointed about how much money I'd have to invest and what kind of big machine I would end up with. It'd be a barebone with a µITX, an Atom or so processor, 4GB of RAM and at least two NICs. Something like my own server, a Fractal Design Array R2 Mini with an Asus P8H61-I mini-ITX. But that was an expensive thing - Fractal isn't cheap - and was still way too big to fit where I wanted it to.

I had the luck to stumble upon a second hand Securepoint Terra Black Dwarf UTM WiFi. They go for about €500 these days and need (again) an expensive subscription, but it is basically a mini-computer that can run a custom OS and I could get it for €100. For that price, I couldn't build it myself. It has 3 Gigabit NICs on-board, 3G (not that I needed that), Wifi (that I couldn't use, but more about that later), a 32GB SSD, a Lexcom LEX 3V900D Rev 0.2 mainboard and 4 GB DDR3 RAM and a VIA Nano U3500 1GHz processor. Good enough for my usage and consumes an acceptable 20W under load. (I did find out that the seller added more RAM and a bigger SSD: specifications say it would have only 2GB RAM and a 4GB SSD).

Meet the Securepoint Terra Black Dward UTM. It might have its own great (but obscure) software too, but I've never seen it as I wiped the SSD as soon as I got it. It's worth being paranoid when buying network devices second hand from people who tend to know their trade :)

http://static.tweakers.net/ext/f/pTnQeeDOFKWuldsV8ApZMDy1/full.jpg

3x Gigabit NIC, 2x WLAN antenna, 1x UMTS antenna, 1x VGA, 2x USB 2.0 (and a power button and DC connection too, obviously).

http://static.tweakers.net/ext/f/mdsNKyiOCRYCaqFX40zHqgCQ/full.jpg

What do we do with new electronic toys? Disassemble them of course! I'm not sure if the SSD is really supposed to just lie on top of the other hardware without bracket or anything - probably something is missing here - but apart from that it all looks neat.

http://static.tweakers.net/ext/f/W0Z6otKzze7zsyaX7buHUfJV/full.jpg


II. SOFTWARE - Installation

First, get the ISO. Download UTM v9 software appliance ("ASG") from Sophos' site. Yes, also if you'll install it on dedicated hardware. The UTM v9 hardware appliance ("SSI") is only meant for Sophos' own hardware. I'll admit the nomenclature is confusing.

For another must-know: install the software from a (virtual) CD-ROM. The installer is very unforgiving and terminates on the slightest error. Installations from USB always end up with errors, presumably because the reading speed is simply too high for the installer. Stupid, I know, but not a big issue in the end. Everyone has a CD-drive on USB lying around... right? ;)


Boot it up, baby:
http://static.tweakers.net/ext/f/2P1Jm2qMwfDEsE7sSllXWyyB/full.jpg

Press Start to continue (duh). I hope that you *are* aware this installation will delete all existing data. If you weren't, I doubt that installing this product is a great idea to be honest.

http://static.tweakers.net/ext/f/Q0kov7ycYBeybH3D5TkXvInV/full.jpg

How about OK? Nothing else you can do on this hardware overview.

http://static.tweakers.net/ext/f/VobFUmoaI3k0ISrajKwsXZHb/full.jpg

Select your keyboard layout.

http://static.tweakers.net/ext/f/tOgmftF8EO7SKF7TZuOc4Nl1/full.jpg

Belgians beware: the Belgian AZERTY is not an option, only the French AZERTY. The letters are the same between them, but some special characters are different!


French
https://upload.wikimedia.org/wikipedia/commons/b/b9/KB_France.svg
Belgian
https://upload.wikimedia.org/wikipedia/commons/4/41/Belgian_pc_keyboard.svg

This can have consequences for your password. Better create a simple one like "abc" initially and then change it in the webinterface later.

But back to our install. The next menu options do not need commentary.

http://static.tweakers.net/ext/f/1tevecMwCi33qLpif6VSDQIb/full.jpg

http://static.tweakers.net/ext/f/JCN49Sj5KTnReagDJ7BSbvpG/full.jpg

http://static.tweakers.net/ext/f/wvLDVeaOAkp31qe0lUD1U12d/full.jpg

Please be aware of the choice you make here.

http://static.tweakers.net/ext/f/lV9xZrTCv9LSb72Ce9CS9bNn/full.jpg

Here your first design decision comes, even though you can change it afterwards of course. Choose the address of your firewall. Contrarily to what you see in the image, I changed to the traditional 192.168.100.1 for gateways (from the client's perspective) as I'll be running DHCP and DNS on it as well. The gateway for our firewall is the modem or whatever other device you have before the firewall.

http://static.tweakers.net/ext/f/HEfyeDxsWh100OFsFf7Qxgcl/full.jpg

If you have an x64 capable machine - in 2015 you should - install the x64 kernel for better performance.

http://static.tweakers.net/ext/f/iDgHWeOEK6IsMvfvih9wLKCQ/full.jpg

Here's a choice that isn't really a choice - accept! Astaro was the name of the company who owned this software before Sophos bought it by the way.

http://static.tweakers.net/ext/f/eVAH3aM95CS9RaSLLVRvZkv0/full.jpg

Are you really, really sure you want to remove all of your pictures of babies and cats?

http://static.tweakers.net/ext/f/I0KVBpihVjgY1Az7OJXvyGtf/full.jpg

Alea jacta est. Sorry, I've been reading Mary Beard's excellent SPQR, a history of the Roman empire, that should be released next Monday according to Amazon - even though they managed to send me the book two weeks ago already. Quid?

http://static.tweakers.net/ext/f/3qjWN8IoaWff11Zo7il6f4NL/full.jpg

I didn't take pictures of all six steps, because you can't interact anymore anyway, except if things would go wrong - like if you used a USB stick, ignoring my advice at the start about using a CD. Tsk. Tsk.

But here we are:

http://static.tweakers.net/ext/f/TzueIqSG4oKVoHHQMC1xe32U/full.jpg

Let's reboot. Ignore the address in the screenshot (remember I chose 192.168.100.1), because the pictures are from different attempts at installing. Yes, because I did try it from USB a few times first. Haha. Joke's on me. Meh.

http://static.tweakers.net/ext/f/TaRw3EYvEBTZOwEFgqrBuGJh/full.jpg

Sophos UTM boots...


http://static.tweakers.net/ext/f/lZ2ooJxr8xwrEHYsUy9MVIKk/full.jpg

And when finished booting it will show a usual UNIX prompt (ignore the address in my screenshot, cf. the previous step).

http://static.tweakers.net/ext/f/FQVdZXEzhcuOfT2ltLtbJCpX/full.jpg

We do not need to log in here. It'll stay in this state, except if for one reason or another we need to do troubleshooting directly in the OS. Which I had to do because my password didn't work due to keyboard layout confusion. Pfff. I run into trouble for you guys so you don't have to make the same mistakes.

From now on, all configuration takes place in the web interface.



III. SOFTWARE - Initial Configuration

Here's the difficult part. The software has been described on another blog as "draconian". Basically, whatever is not explicitly allowed does not go through. You'll need to customize according to your environment, which means finding out the protocols and ports of every application that needs to communicate outside of the LAN. That sounds easier than it is. Trust me: I spent three days trying to get Steam working and it still doesn't work. :( I'll have to figure out Citrix too this weekend, so my wife can work from home this week.

Warning: I will use the Sophos UTM as a DHCP server. Disable DHCP on your routers so that they become switches or access points. Two DHCP servers serving the same range does not end well.

Let's get started. We need to connect to https://<device IP>:4444. In my case that is https://192.168.100.1:4444. To be able to do this without DHCP, we need to set an IP address in the same range manually. Open your network connections.

http://static.tweakers.net/ext/f/dWa7yD5tD75qchCkdcg0yuJ7/full.jpg

Right-click the NIC you will use, click Properties, selectInternet Protocol Version 4 (TCP/IPv4)) and click Properties again. Enter an address in the range of your UTM. Do not use exactly the same address, like I did in this screenshot. It messes up your network and won't work. I can honestly say I didn't do this - it's just a bad screenshot :) The last digit can be anything accept the one your UTM has. There's something funny about choosing the one address out of 256 I shouldn't have chosen for my screenshot. Oh well.

http://static.tweakers.net/ext/f/NOrmYQ2ApN286ekXcqccZRPT/full.jpg

You can expect a certificate error here. Just ignore it (and ignore the address again, because, as I said, the screenshots come from different installs).

http://static.tweakers.net/ext/f/SqZRhaYIcjiTodwGpmRyxZwD/full.jpg

Here we go.

It's pretty clear what to fill in. Don't forget, however, to use a FQDN for the host name. Also choose an admin password. That is not the same as the root password you had to choose during the setup. This is the password you will use to log in to the web application as admin. You can make additional users too by the way, but at home that's probably not necessary, presuming you manage the UTM on your own.

http://static.tweakers.net/ext/f/xHEewbFyTD7LZm5liN6b60gR/full.jpg

You have the opportunity to use your brand-new password right away. This login screen you'll see more often the coming days.

http://static.tweakers.net/ext/f/N1XMwKHsqnUDGcWKaH5elFCp/full.jpg

Except if you have a backup - which you don't, or you wouldn't be needing this blogpost - you just continue on this screen.

http://static.tweakers.net/ext/f/d5EECz7YLipckdNHV63zUyvB/full.jpg

I got a basic license from the Sophos website. I also got a free home license that unlocks all features, but for the initial install I was just curious to see what comes out of the box if you don't have a real license at all. If you leave this empty, you will have a 30-day test license. Don't: this is a paying license that will expire after one month. It can screw-up your installation due to very small differences when falling back to the basic features after the trial. Also, it configures some basic things that I prefer to do myself, just to keep an overview. Just get the basic license. You'll get your free home license at the same moment. You could as well install that one right away I guess, but I chose to do it in two steps.

http://static.tweakers.net/ext/f/tX0jsVmAKE4CJ25qtJNoCFjn/full.jpg

Yes, my screenshots still have the wrong IP address. Choose - again - the IP address of the firewall. This will be already the right IP address if you chose the right one right away during the initial setup. It is a good moment however to enable DHCP and the range it should serve.

http://static.tweakers.net/ext/f/b9KwQiwOMiMREH4F54ZUNznI/full.jpg

The whole point of a firewall is to control the traffic between our LAN (= local network) and the WAN (= the internet). So we need to configure our uplink. This configuration depends on the device in front of the UTM. In most cases, however, another modem/router will take care of the internet connection and you only need to connect an ethernet cable between that machine and the UTM. I configured my modem to reserve an address for my UTM, but most people will have a DHCP server on the modem/router and can just use dynamic here instead.

http://static.tweakers.net/ext/f/UXge5xwgMU5CBwBffQSdyStz/full.jpg

We could also do the initial configuration now of all different features the UTM has. Because I started with the very basic license, however, all of them are unavailable for now. We'll take care of that later.

http://static.tweakers.net/ext/f/STL1U8QTk0HLGhJOBfrkOXsu/full.jpg

http://static.tweakers.net/ext/f/7y5EtvgLWjodwjOZEq0S1XhP/full.jpg

http://static.tweakers.net/ext/f/jbXbRutrKqsxin6djMNTqxpH/full.jpg

http://static.tweakers.net/ext/f/L9Dsn1Ouvz36FcbBlmStmg6D/full.jpg

Congratulations: you just finished the very beginning of your Sophos UTM setup.

http://static.tweakers.net/ext/f/UgoZdcQ5NsrosDUH0CQMdPAI/full.jpg


IV. SOFTWARE - Basic Configuration

This is our dashboard, containing an overview of some high-level information about our network. it is also the default landing page once you log in.

http://static.tweakers.net/ext/f/zTvKSf7Fy9mHOSnVyvC78xNr/full.jpg

I'll go to Management -> Licensing now to install the Free Home License. Grab one here: https://myutm.sophos.com/.[/justify]
http://static.tweakers.net/ext/f/M6dT8HFlUmzn6qMaetiAmKgw/full.jpg

You will get all of the features a paid license offers, except the possibility to customize logos and such on warning pages or notification e-mails. It'll remember you of that when switching license.

http://static.tweakers.net/ext/f/olbjEP0qtrYcd1D77QDq1Iyw/full.jpg

A new overview shows all features (license-wise) as enabled.

http://static.tweakers.net/ext/f/YVYoeqv8HsWZAGVF9fpHVXb9/full.jpg

Now it's time to configure a few things so we can start using our UTM and, at this point, use the internet. Unconfigured, right now, you can't do anything. All traffic outside is blocked. I hope you have this blogpost cached, because you can't reach me :)

Go to Interfaces & Routing -> Interfaces. Notice the switches next to the interfaces. As much as you configure them: if you don't turn it on, it won't work.

http://static.tweakers.net/ext/f/CIYz3sL4U32ZDzQxLAm79Aoo/full.jpg

Configuring an interface is not rocket science: give it a name, choose the type (this will be Ethernet in 99.9% of the cases), select the hardware port this interface refers to and so on. Note that the numbering on your device does not necessarily relate to the numbering inside the UTM. In my case it does, but I can imagine it being reversed in other setups.

http://static.tweakers.net/ext/f/SK9LeiIVaPsJACp1HYnDTwTE/full.jpg

The WAN side is the one that goes out to your modem. This should also be your default gateway in most cases. I won't discuss exceptions here, as you don't advice from me if you have a different gateway. In Advanced I entered my theoretical bandwidth, but this is more aesthetic than practical.

http://static.tweakers.net/ext/f/6wuC7y1Nf84ti7lPKDBg1ouX/full.jpg

Next is DHCP. Assuming you do not want to assign static addresses to every single device (although I do for non-visitors), you'll need this or devices won't get an IP address.

http://static.tweakers.net/ext/f/rfguajRgtdLkNtgOZyDVkJx8/full.jpg

DHCP, too, is quite straight-forward. For a given interface, you define ranges (this was already done during the initial setup if everything went right by the way) and DNS servers.

DNS servers are the servers that translate names into IP addresses. Usually you can just point it to your gateway (the modem/router, 192.168.0.1, in my case) that will have at least the DNS servers from your ISP configured. Because I'm running DNS on the firewall itself (.1) and on my Domain Controller (.2), I'm putting those here. A bit of redundancy, yes.

http://static.tweakers.net/ext/f/xhMzyhxudYIBUpLZvPACB2JB/full.jpg

The real fun is the firewall itself of course. Go to Network Protection -> Firewall. You can see the very basic firewall rules I created.

http://static.tweakers.net/ext/f/AmgJ67l933Rl6GpeVNLKU4x1/full.jpg

The very first one was obviously web surfing, ie. allow traffic on ports 80 (HTTP), 443 (HTTPS), 8080 (HTTP Proxy) and 3128 (HTTP WebCache). Some very common services are preconfigured, like these. There are also groups of services. The aforementioned services are all a part of the existing group Web Surfing. Existing groups can be changed of course. There is a group for e-mail too that did not include the TLS port I need for my e-mail provider. I just created a service for it and added it to the group.

My illustration is however from the Web Surfing, because that is the absolute minimum you will want to be able to do with your internet connection. The principle of a firewall is simple: <FROM> <WHAT> <TO>.

In this case, we allow traffic <FROM? Both of my LAN interfaces> <WHAT? Web Surfing> <TO? Wherever>

http://static.tweakers.net/ext/f/GmrLyMCWWqibksRRIniLtWkK/full.jpg

Just like the services, sources and destinations exist preconfigured and can be changed, removed, added or grouped. All of this happens in Definitions & Users. As an illustration, I show you the Network Definitions. This is also the place where you can assign static IPs.


http://static.tweakers.net/ext/f/iw8vKkuU0rwSCgfsOP34dDL2/full.jpg

Also be sure to enable Network Protection -> Intrusion Prevention...

http://static.tweakers.net/ext/f/1UqL2aQJXrFs6r1XeIakWkOX/full.jpg

... and Network Protection -> Advanced Threat Protection. Both do not need configuration - although you can - and work out of the box.

http://static.tweakers.net/ext/f/DWH0YdMwqBqtvDcAh5nz54XK/full.jpg

But let's get back to our basic stuff. Web Protection -> Web Filtering, for example. I'm not in favour of censorship, so I allow my users to look-up whatever they want. I do enable it however, because there's more you can do here. I'll display a warning page for example if they are about to enter a suspicious site, e.g. for viruses.

There's few you can't do here - including logging of your users' every single GET on the internet. If you want to be Big Brother or run your own virtual China, this is the place. I won't discuss all possibilities. They're very self-explanatory anyways.

http://static.tweakers.net/ext/f/Ax2g48PK6vYYEnK5hywZdAP7/full.jpg

I also like it to block attachments that I do not trust. The default list included .exe and .msi too - I removed them, because although they are an attack vector, you need that stuff if you want to use your computer and I can't really forbid my neighbours to install software on their machines, even if it is potentially harmful. I would just have more false-positives than false-negatives.

The stuff I block, on the other hand, is most of the time malware. When did you last see a non-viral .scr, .pif or .com? In 1995? Same goes for scripts. Hell, if I want a script from the internet, I can just copy/paste it instead of downloading it.

http://static.tweakers.net/ext/f/jgqiu2z5l4sVqpQ8LJJTbHFB/full.jpg

Another cool feature is Web Protection -> Application Control. This was actually the reason I started with this whole project. Application Control and Web Filtering come on top of a firewall, ie. if the traffic is allowed through the firewall, it is analyzed by Web Filtering for simple web-content. Application Control takes care of application content. Torrents are the best example: there's no firewall rule that can stop it, because it can use SSL to hide itself. Blocking the SSL port (443) would do more harm than good (note that you can do a man in the middle attack from your UTM too as a very dirty solution) and then the torrent client would just use another port anyway. Web filtering won't stop it either, because it's P2P traffic and cannot be categorized according to websites rules. Applications all have a digital fingerprint in their traffic though, and because of that Application Control will intercept it. The software just needs to know the digital fingerprint, which it updates a few times per day from Sophos. That's not a 100% foolproof system, because a 0-day torrent client would still pass, but that's as good as it can realistically get in web-technology.

http://static.tweakers.net/ext/f/jzYEynMjMC4PtR5ECwVkOis6/full.jpg

Finally, there's Endpoint Protection. Well, 'finally', ... there's plenty of more stuff like Email Protection, Webserver Protection etc., but I won't go into that here because those things are out of scope for this blogpost.

The Endpoint Protection is your own centrally managed antivirus console. Enabling it will give you a link with a client you can install on all of your (Windows) machines - yes, on servers too. You can then manage them from the webinterface, block access to peripherals (not that I'd do that) and more. It's really easy and free. As a bonus, you can deploy the clients to machines outside of your network to manage them from here. A good moment to remove your mother-in-law's useless out-of-date Avast! and replace it by something better.

http://static.tweakers.net/ext/f/azDbmzsGjGb4JXtKEi5FmDUf/full.jpg


V. ANNEX A: Wireless

"Hey, YellowOnline, your box has these fancy antennas for wifi and 3G but those interfaces don't show up in your UTM?" Indeed, unfortunately. When I bought this, I wasn't aware that the Sophos software recognizes most common NICs (but do check out the Sophos UTM Hardware Compatibility List) but not for wireless cards. They seem to only recognize those branded by Sophos themselves, such as the "Sophos AP series" and they are incredibly expensive for home usage.

So managing the wireless from within the UTM you can't - and Sophos repeatedly said they won't change this. I won't complain - it's a great free product in the end - but I hope they change this stance in the future. For now, I just converted an old router into an Access Point (there's usually this option in there somewhere) and attached it to the LAN port, where it's also functioning as a Gigabit switch.

Out of curiosity I logged into the Sophos UTM OS of course.

Bash:
1
2
3
4
5
6
7
8
9
10
11
12
loginuser@yellowfw01:/home/login > ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether ye:ll:ow:on:li:ne brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether ye:ll:ow:on:li:ne brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc hfsc state UP mode DEFAULT group default qlen 1000
    link/ether ye:ll:ow:on:li:ne brd ff:ff:ff:ff:ff:ff
5: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc tbf state UNKNOWN mode DEFAULT group default qlen 32
    link/ether ye:ll:ow:on:li:ne brd ff:ff:ff:ff:ff:ff
loginuser@yellowfw01:/home/login >



Nope, can't see the wifi there and lspci doesn't work in this custom linux distribution. I'm not a linux specialist, so I don't know if I have an alternative command to find out the PCI devices so I can see the WLAN NIC its current state. I guess it won't be as easy as to simply install a driver anyway.

VI. ANNEX B: Common Firewall Rules

... at least for me :) Will try to keep this updated for other Sophos UTM users. I created groups for all of these, except if they existed already as a group out of the box.
Web Surfing
  • TCP - Source: 1:65535 - Destination: 80 (HTTP)
  • TCP - Source: 1:65535 - Destination: 8080 (HTTP Proxy)
  • TCP - Source: 1:65535 - Destination: 3128 (HTTP WebCache)
  • TCP - Source: 1:65535 - Destination: 443 (HTTPS)
Media Streaming
  • TCP - Source: 1:65535 - Destination: 1755 (MMS)
  • TCP/UDP - Source: 1:65535 - Destination: 7070 (RA)
  • TCP/UDP - Source: 1:65535 - Destination: 554 (RTSP)
File Transfer
  • TCP - Source: 1:65535 - Destination: 21 (FTP)
  • UDP - Source: 1:65535 - Destination: 69 (TFTP)
Email Messaging
  • TCP - Source: 1:65535 - Destination: 143 (IMAP)
  • TCP - Source: 1:65535 - Destination: 993 (IMAP SSL)
  • TCP - Source: 1:65535 - Destination: 110 (POP3)
  • TCP - Source: 1:65535 - Destination: 995 (POP3 SSL)
  • TCP - Source: 1:65535 - Destination: 25 (SMTP)
  • TCP - Source: 1:65535 - Destination: 465 (SMTP SSL)
  • TCP - Source: 1:65535 - Destination: 587 (SMTP TLS)
Steam
On my first try this didn't work but on my second Sophos UTM build it worked right away. I also allowed it through Application Control by the way.
  • TCP - Source: 1:65535 - Destination: 27014:27050 (Steam Downloads)
  • UDP - Source: 1:65535 - Destination: 27000:27015 (Steam Game Client)
  • UDP - Source: 1:65535 - Destination: 4380 (Steam General)
  • UDP - Source: 1:65535 - Destination: 27015:27030 (Steam Matchmaking)
DNS
  • TCP/UDP - Source: 1:65535 - Destination: 53 (DNS)
Usenet
  • TCP - Source: 1:65535 -> 119 (NNTP)
  • TCP - Source: 1:65535 -> 563 (NNTP SSL)





There you go. Following this guide, you should have Sophos UTM up and running, with a license and a basic configuration that will give you at least access to internet. But this is only the beginning: now you'll need weeks to find out which applications of which users no longer work and how you can allow that traffic. Good luck!

Disclaimer: I am not and do not pretend to be a network specialist. I'm just a sysadmin who needs to have a basic knowledge of everything. Unum in regione caecorum rex est luscus. This blogpost is meant to get you started if you're unsure where to start.




This, I think, is the longest post I've made in 5 years. It took me a whoppin' 5 hours too. But you might not here from me for a while, as Fallout 4 comes out on Monday and I'll have other priorities in my spare time for a while then :+

Volgende: R.I.P. 11-'15 R.I.P.
Volgende: Koken! Hartige pannenkoeken 10-'15 Koken! Hartige pannenkoeken

Comments


By Tweakers user jjust, Sunday 8 November 2015 09:05

Thanks. This is very informative!


By Tweakers user aegis, Sunday 8 November 2015 09:52

Did you also consider any other firewall OS like SmoothWall/MonoWall or pfSense?

By Tweakers user Xudonax, Sunday 8 November 2015 10:19

Nice write-up. I was looking for a nice way to kick that stupid Linksys router off my network, and I guess I just found it :)

By Tweakers user analog_, Sunday 8 November 2015 13:02

FYI: I'm selling a 4 port variation of the same hardware. Has been running VyOS mostly.

By Tweakers user KnoxNL, Sunday 8 November 2015 13:12

Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.

- Lots of DNS caching problems
- Lots of times where i have had to reboot the appliance for DNS changes on domain controllers to become effective
- Web filtering results in lots of false positives

For home use these are probably things you can live with though.

By Tweakers user YellowOnline, Sunday 8 November 2015 15:03

aegis wrote on Sunday 08 November 2015 @ 09:52:
Did you also consider any other firewall OS like SmoothWall/MonoWall or pfSense?
I did consider pfSense, but we use the Sophos UTM at work, so I saw a possibility to learn about a device that I'll use professionally too.
KnoxNL wrote on Sunday 08 November 2015 @ 13:12:
Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.

- Lots of DNS caching problems
- Lots of times where i have had to reboot the appliance for DNS changes on domain controllers to become effective
- Web filtering results in lots of false positives

For home use these are probably things you can live with though.
I don't know about the DNS issues. At home it's too early to notice anything going wrong with it and at work (3000 users or so) we have so many DNS issues unrelated to Sophos UTM anyway :+ But about the false positives: that is the same for every other firewall. I used to work with a Juniper firewall - a top-notch enterprise firewall that some governments use - and there you had the same issue. Expecting any product to properly categorize every single web page on the internet (5 000 000 000 are 'known') is bound to disappoint you.

By Tweakers user alm, Sunday 8 November 2015 16:40

KnoxNL wrote on Sunday 08 November 2015 @ 13:12:
Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.
Which model of UTM are you using? I was looking at Sophos a while ago when looking for replacement options for our current firewalls.

By Tweakers user Pietervs, Monday 9 November 2015 06:12

KnoxNL wrote on Sunday 08 November 2015 @ 13:12:
Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.

- Lots of DNS caching problems
- Lots of times where i have had to reboot the appliance for DNS changes on domain controllers to become effective
- Web filtering results in lots of false positives

For home use these are probably things you can live with though.
Not my experience. I've managed a Sophos firewall for over 7 years, resulting in a 220-cluster for the last couple of years. DNS was never an issue, getting the correct ports to open for the various applications was much more troublesome.

Have you contacted support? In my experience they're very good and know what they're doing.

By Tweakers user Shuriken, Monday 9 November 2015 11:09

UTM seems to contain only the wireless drivers ath9k and ath10k. So it should be possible to use an Atheros Wireless card.

By Tweakers user HellStorm666, Monday 9 November 2015 13:50

Have used Sophos to in a business environment.
The 50 users free isn't 50 users. but 50 ip-addresses. And if a machine has one ipv4 en 3 IPv6 addresses, that machine counts as 4 "users"

ps. M0n0wall has stopped.
Opnsense is the successor, or pfSense.

We switched to pfSense.
Although, if I need to do it all again, I would go with the Ubiquiti Edgerouter PoE5.

By Tweakers user mgizmo, Monday 9 November 2015 15:43

KnoxNL wrote on Sunday 08 November 2015 @ 13:12:
Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.

- Lots of DNS caching problems
- Lots of times where i have had to reboot the appliance for DNS changes on domain controllers to become effective
- Web filtering results in lots of false positives

For home use these are probably things you can live with though.
No DNS issues over here.

By Tweakers user Zehtuka, Monday 9 November 2015 21:54

Nice blog! Just wanted to comment on:
KnoxNL wrote on Sunday 08 November 2015 @ 13:12:
Using UTM professionally for over 2 years now, i can safely say this product is not ideal in an enterprise environment.

- Lots of DNS caching problems
- Lots of times where i have had to reboot the appliance for DNS changes on domain controllers to become effective
- Web filtering results in lots of false positives

For home use these are probably things you can live with though.
I haven't seen issues like you mention. Are you 100% sure it was the UTM?

By Tweakers user DennusB, Tuesday 10 November 2015 11:34

Sophos UTM is really cool! I have it running now for 4 weeks and it is really, really stable. With my new hardware it just uses all of the available bandwith (150/15). Cool software :) Better than PfSense.

By Tweakers user Shuriken, Tuesday 17 November 2015 21:19

After reading this article i have build a Sophos UTM machine based on the Gigabyte GA-J1900N-D3V mainboard.

Today i added a Artheros AR928x Mini PCie card to the machine. The GUI now shows an Active Access Points on LocalWifi0.

Unfortunately i do not have the antenna's yet. But it shows good promise. So hopefully no need for a separate Sophos AP.

In order to comment on this post you need to be logged in. Use this link to log in when you are already a registered user. If you don't have an account you can create one here.