Known to apply to the following Sophos product(s) and version(s)
Sophos UTM v9
Sophos UTM v8
What To Do
Some ISPs, such as DeutscheTelekom, impose extra costs if they should route traffic with special ToS bits. This is an extra service because they provide such traffic automatically via their backbone.
Some applications, such as telephony or IP TV, add ToS bits automatically to the IP Header without any chance to deactivate it via the GUI. As a result, the customer has to pay extra money each month because its not trackable.
Generally these ToS Bits are filtered by DeutscheTelekom:
Solution at the UTM Gateway to drop this traffic:
- Login to the shell via loginuser and switch to the root user.
- create the following file:
- insert five iptables rules into this file:
iptables -A FORWARD -m tos --tos 0x00 -j DROP
iptables -A FORWARD -m tos --tos 0x02 -j DROP
iptables -A FORWARD -m tos --tos 0x04 -j DROP
iptables -A FORWARD -m tos --tos 0x08 -j DROP
iptables -A FORWARD -m tos --tos 0x10 -j DROP
Instead of using DROP, you can use the Parameter LOGDROP. Then each dropped packet will be written into the packetfilter logfile.
- modify the rights of the file:
chmod 0700 /etc/init.d/ipmangle.local
- Restart the middleware to enable the rules:
Attention: this restart will cause a short break of all connections at the gateway