Firewall Order of Operations
Firewall Order of Operations
Based on testing and additional information found in other request, it appears that the proxies/security services have a higher order of operation over the firewall. As such, even with firewall rules in place, the security services override those settings. With email protection, this essentially opens up SMTP on the Sophos UTM to anyone on ALL interfaces. This, thus, increases the surface attack area of the device to an unacceptable level.
Changing the order of operation would allow the administrator of the device to dictate, via firewall rules, what can and can not access the Sophos UTM and the network(s) it is protecting. This would also address the issue of the Sophos UTM showing SMTP, SMTP SSL, and SMTP Submission open via port scans when Email Protection is enabled. This would also address the issue of the IDENT port shows as closed in a port scan instead of stealthed (regardless of if the IDENT proxy is enabled or not). You would no longer have to use NAT rules to blackhole the traffic as well.
Bob Alfson commented
I don't think this should be changed. With a better understanding of iptables and WebAdmin, none of these issues are a problem. See #2 in https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz and ask question in the UTM Community.
This is alarming and frustrating. Took days of research to see this bug. The firewall should take precedence at all times. Or maybe have a setting for "insecure mode" or something if you want this reversed as it is now.
I have rules on the web proxy AND on the firewall to block web traffic starting at 9pm every night. I also have an "exception" for netflix so that it streams properly. The exception takes priority and allows ALL USERS access regardless of firewall rule or web proxy profile that use time criteria. If the firewall too priority, this would work fine.
The firewall should be the first line of defense with regards to access into the network. This means that the firewall processes the traffic first before any other services.
This is a non-issue on, say, a Cisco device as you have to allow the traffic first. This also would reduce load on the device because you don't have to worry about the unit having to process traffic that would typically be dropped by the firewall in the first place.
Per my example, I'm firewalling of SMTP SSL, SMTP Submission and IDENT because those services are not being used. If those services are not being used then there is no point in the UTM wasting valuable resources to process those transactions when you can just block it at the firewall level (granted, if it is the first thing that is looking at the traffic) and be done with it.
If someone is out there looking for open SMTP SSL ports and sees the device as open, even if they can't get access, Email Protection will still waste valuable resources processing that traffic when the firewall could have dropped it beforehand.