8 Replies Latest reply on Oct 26, 2012 11:15 AM by loaned_brain

    HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

    loaned_brain

      Hi Everybody,

       

      I am configuring the firewall for HIP deployment. While testing it, I discovered (HIP window -> Activity Log -> Traffic Logging -> Enable Log All Allowed) that the following traffic occures:

       

      Allowed Incoming TCP - Source 172.X.X.177: (60153) Destination 10.X.X.213 : ms-ds (445) Allow Loopback

       

      The packets in question are SMB packets. (Verified with Wireshark on both sending and receiving side)

       

      I narrowed it down, that the match is based on the "Local IP Address(es) = Any Local IP Address" option.

      Now, this traffic originates from another (physical) computer from a completely different subnet (but same corporate LAN).

       

      Is this a bug? This behavior is constant. If I disable this rule, the local loopback is disabled from the allowed traffic, I tried it. With this option enabled, the local loopbacks are working fine (and also allowes through other traffic).

      If I messed up something, what do I need to change in order to allow regular loopbacks and filter this odd behavior?

       

      Thanks

      --

      Loaned Brain

       

      HIP 8.0.0.2151

      Security Content 8.0.0.4587