One of Firewalla's major functions is managing your network traffic through features like Rules, Routes, and Smart Queue. These features require selecting a "target" and applying an action to a device, a group, or a network segment. Currently, to specify a target, the system only allows one IP/IP segment or one top-level domain. This can result in needing to make several rules if you have more than one target in mind. Many of you suggested we should use a list instead.
Introducing Target List
A Target List is a set of targets defined by domain (exact or all subdomains) or IP (exact or range), which can be used as a building block to create rules or prioritize a group of targets. If you have a lot of rules, this feature can help you to organize them.
The Firewalla Target List feature allows you to:
- Create your own Target List to simplify rules.
- Use an existing pre-created list.
Target Lists can be used with the following features:
- Rules: control access, content filtering
- Smart Queue: regulate traffic flow
- Policy & Content-based Routing: route of network traffic
- Alarms: mute alarms based on a Target List
Target List Definition:
- Target Lists can only be created and managed using the Firewalla Web interface
- Rules using Target Lists can be created/managed via the Firewalla Web or App
- Target List items for this version are restricted to 200 items
- Target List elements can have the following forms:
- Exact-match IP: e.g. 1.1.1.1
- IP Range in CIDR notation: e.g. 192.168.0.1/24
- Exact-match domain: e.g. firewalla.com
- Match-all subdomains: e.g. *.firewalla.com
(We ONLY support the exact form of a single '*.' before the domain name)
- You can only create up to 20 Target Lists
- Target Lists are not available on Firewalla Red
Create Target List on Firewalla Web
Login to Firewalla Web, click Target List on the left side, and you'll see a list of pre-built target Lists owned by Firewalla.
Built-in Target Lists
Firewalla maintains these list items. You can use them wherever Target Lists are accepted (Rules, Smart Queue, Routes, Alarm muting). Their definitions are proprietary.
| List Name | Description |
|---|---|
| Apple Private Relay |
Apple's iCloud Private Relay feature encrypts DNS requests. However, using it may mean that Firewalla has less information about network traffic, and some of your policies may not work as intended. This Target List blocks Apple's Private Relay Servers, banning their relay service and returning complete visibility to your Firewalla.
|
|
Crypto List
|
This Target List consists of known cryptocurrency mining sites and can be used to block cryptocurrency activities.
|
|
DShield Block List
|
DShield.org is a collaborative cyber threat logging system. We recommend that you block this list.
|
| DoH Services (beta) |
This is a list of well-known DNS-over-HTTPS (DoH) servers. Some browsers have built-in DoH services that encrypt DNS requests, which may get in the way of your rules and policies. You can block this list to prevent browser-based DoH from working and ensure that your rules will function as expected.
|
| OISD |
This OISD blocklist is a list of risky sites or sites that have unwanted content. You can read more at https://oisd.nl.
|
| Tor Exit Nodes |
A Tor exit node is the gateway between Tor encrypted traffic and the Internet. Blocking this list will block just these Tor nodes.
|
| Tor Full Nodes |
This list is of all Tor nodes. Be aware that this list is not just exit nodes.
|
| Log4j Attackers |
This is a list of known log4j attackers from a public list.
|
Create your Target Lists
To create your own, click the Create Target List button in the top right corner.
Security example: Here is an example of creating a Target List to identify the malware command and control sites associated with, "Purple Fox."
Parental Control Example: You can create lists of specific sites like "Gaming" for kids.
Update a Target List
In addition to the web interface, on the Firewalla app, we've supported the ability to quickly add a domain or an IP address from a flow or an alarm to a Target List you've created.
For example, if you already have a rule that blocks a list of targets, adding a new domain to the Target List will automatically be updated to block the new target.
Create Rules/Smart Queue/Routes using a Target List
On the Firewalla app and web interface, you can create a rule, a Smart Queue rule, or a policy-based route matched to a Target List.
You can view the detail of the Target List on the Firewalla App by tapping the "i" icon on the right side of any Target List.
Example: Block iCloud Private Relay using pre-defined Target Lists
Apple iCloud Private Relay is one of the most exciting features in iOS 15 and macOS Monterey. It will encrypt and obfuscate your source IP address to protect your privacy while using Safari. This is perfect if you're using free Wi-Fi in a cafe or a store and want to protect your privacy.
Unfortunately, this encryption will also block devices like Firewalla from operating on the network to filter and audit traffic.
Besides turning off iCloud Private Relay directly on your Apple devices, Firewalla can disable this feature on your network by creating a BLOCK rule using the pre-defined Firewalla Target List called, "Apple Private Relay."
To create the Rule, go to Rules -> Add Rule -> set the target to Target List" Apple Private Relay" -> apply to any device -> Save.
You can also block a list of IPs or domains from accessing a certain port on your local devices by creating a rule matching a specific Local Port and a Target list.
Example: Prioritize traffic for online meetings
In addition to Firewalla's built-in Apps, you can create a Target List and put all the sites you and your company use for online meetings, then create a smart queue rule to prioritize the meeting traffic using the Target List.
- Smart Queue -> Smart Queue rules -> Add Smart Queue Rule
- Set a target -> Target List -> Online Meeting
- Apply it to any devices/network you might use for online meetings.
- Set the Priority to High.
- Save the rule.
Example: Route your Netflix traffic to a particular VPN
If you want all the Netflix traffic on your Apple TV to go to a 3rd party VPN, you can create a Target List with the primary domains Netflix is using, then create a policy-based routing rule using the Target List.
- Routes -> Add Route
- Set a target -> Target List -> Netflix video
- Select a device -> MyMac
- Select an interface -> 3rd party VPN
- Save the Route
Example: Mute Alarms based on a Target List
If you want to mute alarms from a list of IPs used by Ring services but don't want to create mute settings for each IP individually, you can create a Target List of those IPs and selectively mute alarms related to those IPs. Create your Target List, then configure your alarm settings.
- Alarms -> Alarm Settings
- Choose an alarm category -> Mute
- Tap Add Target List and select the Target List you created
- Apply the mute setting to the devices you want to mute the alarm for.
FAQ:
Do I need to import a security list for better security?
You do not have to. Behind Firewalla, an extensive list of security intel is already integrated with your box. This list is part of our Firewalla security intel. Please see https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
Since Firewalla's security intel is dynamic and actively managed, if you ever need an on/off switch in a list form that's part of your team/work/home policy, you can integrate it with the Target List.
Can I create and manage Target List on the phone?
No, you can't; managing lists is a web-only function. Managing lists is a complex process, and mistakes can take time to debug.
Can I add to a Target list from Flows or Alarms?
Yes. When you tap on a domain in a Flow or Alarm you can add a domain or IP to an existing Target list.
I have a list that I think is good, can you integrate it?
Yes, please send your list to help@firewalla.com
We can only integrate some of the lists out there. Not all lists are equal– some are well-maintained, and some need a lot of work.
Why is the Target List limited to 200 elements?
The manual input lists are there for specific usage. For more extensive lists, it needs to be filtered and cleaned by the software and then imported. This means a cut/paste of a large list may work in a day or two. Without updating it, it may stop working a month out. If you would like to create Target Lists with more items, check out Firewalla MSP, our tool designed for security and infosec professionals to easily manage multiple Firewalla boxes remotely. Through Firewalla MSP, you can create Target Lists with up to 2000 elements.
Comments
35 comments
Will it work only on ip address or will work with site names also?
@John, it works with domains as well. (see the example, facebook[.com is on there)
Target lists do not seem to work if you apply it to "All Devices".
If Applied to a network then it works...
@Shawn, target list should work on all devices, just created a ticket, so our developers can follow up with you.
Will it be possible in future releases to be able to use wildcards in such a way that we can more specifically target subdomains? For example, instead of a target list entry "*.domain.com", which would match all subdomains, I'd like to use SQM with a target list entry that can match target1.domain.com and target2.domain.com. Having the ability to create a list entry of "target?.domain.com", where ? matches a single character, or even "target*.domain.com" would be great. Or, what would be even more powerful would be a way to match REGEX expressions to get even more precise, but I know that is a bigger ask and probably won't be as widely used.
I think I put the same request months ago and still waiting to see in action.
1. Ability to use wild characters in target list
2. Ability to assign single rule to multiple devices (grouping doesn't solve the requirement).
Looks like hard to code.....
If I want to block a domain and all subdomains, do I need to add two entires?
Eg:
google.com
*.google.com
So for target lists, I just need to enter the base domain, and all sub-domains will be automatically included. Is this also the case with domain-specific rules or do I still need to use wildcards there? Ideally, the syntax and scope should be consistent between features.
Target lists are not available with firewalla red?
@mozarella target list is supported on the blue/blue+/gold/purple
@Robert apparently, matching rules for single domains vs domains in target lists work differently.
To match a domain + any-level-subdomain you would use:
Bare domain in a target list will only match the bare domain.
Updated my original comment.
@Leonid Thanks for checking. This inconsistency may be why my allow lists didn't seem to be working.
I’m seeing seven built in target lists (FWG) today. Only two listed in this article. Please update with short descriptions of each. Thanks!
With the built-in list, I see OISD.nl which is great for me, as it's what I use in PiHole, but...it's only the basic list (~65,000) which targets just ads. The fill list there is ~1.1 million and blocks malware/tracking etc.
I'm sure you know all this. Is the reason because the big list is too big, or because the "additional" 1 million sites should be caught by firewalla without the list (since they are "bad" sites). I don't want to turn off my PiHole and use the "basic" list if it increases the likelihood of anything getting on computers on the network. The full list has been great, but if it's not needed, I'd love to cut back to the smaller one.
+1
Agreed with Rich T. My PiHole monitored the full list too, plus others more specific to different categories (ie. crypto mining etc).
It would be good if FW had way more lists we could use (Full and Basic versions), or we have the ability to add our own list URL's.
I think we need the ability to add larger lists. We also need to be able defang IP addresses and URLs. To be able to enter defanged entries that Firewalla enables for filtering behind the scenes. For example:
See: https://inquest.readthedocs.io/projects/iocextract/en/latest/
and my other comment at https://help.firewalla.com/hc/en-us/articles/1500003524781?page=1#comment_4966873945107
what's behind the "online-meetings" target list ? which websites ? there's a way to change this ?
The online meeting is just an example. It may have content for example from here https://support.zoom.us/hc/en-us/articles/201362683-Zoom-network-firewall-or-proxy-server-settings
So, we can also add our custom target list, nice feature.
Again, a new feature could be a sync with a github list like pi-hole does.
you add the github list like : https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
then firewalla fetch on a daily basis and apply this to the custom target list.
best,
This is a great feature. It would be great to have more than 200 entries because there are a lot of bad actors working on malicious attacks. For example my list of Russian, Ukrainian, Iranian, and NordVPN IOA and IOC URLs and IPs is about 5,300 entries today.
My workaround is to create a list that I add to Pi-Hole - but his protects against outbound only. This is my current list shared in an effort to keep the Firewalla community safe during the current geopolitical situation.
https://raw.githubusercontent.com/C0ntr07/Pi-Hole/main/Iranian_Russian_Ukrainian_IPs.txt
The NordVPN in-bound blocks are critical. We have found - in coordination with law enforcement - that there are attacks exiting from NordVPN’s network. The “group” is using NordVPN exit points to bypass “impossible travel” check protections. This has lead to success MFA compromise. There are just over 3,000 such IP addresses and want to block them on all of our, and our clients, Firewalla Golds. THIS is why the 200 entry limit needs to be removed unless it’s in place for performance reasons.
Chris, can you explain or link to an explanation on the NordVPN in-bound exploit? By default, everything incoming is blocked. If you are using NordVPN, I can see how something might be possible, but if that's a concern I'd just stop using it.
Just like the "region" blocking and Pi-hole, unless you initiate a connection somewhere, a "response" or in-bound connection request from a random IP is blocked, right? So the outbound block essentially prevents the inbound.
*** Actually @Rich T, you are absolutely correct. Everything inbound is blocked - too much going on here. So the need to block in-bound per my list isn't really needed. Silly of me! Let me think more about that. It's not the use of by staff or internal people, it's evil doers accessing public websites and exposed services that is the risk.
NordVPN has been confirmed as being used by "hacker groups" to execute attacks. Many systems identify a users IP address and the geolocation of that address prior to permitting access. One test is if the distance between the geolocation of IP addresses between sequential access attempts is a realistic time/distance possibility.
For example, if I log in from Washington, DC and ten minutes later "I" am logging in from Moscow (Russia and not one of the 20 US "Moscows"). It is not possible to travel from Washington DC to Moscow in ten minutes. Such an access attempt can then be blocked.
To get around this, evil doers use VPNs (and NordVPN at a much higher rate than any other) to get around this. Use a NordVPN (or any VPN) that exits in Washington DC and then, in this example, this security protection isn't effective.
This is, in part, how Microsoft's vendor's contractor was compromised even when using MFA. The threat I am trying to address is related to MFA access to internal services.
Blocking in-bound VPN IP addresses is a prudent protection these days.
We, and my clients, are actively being scanned and attacked and every layer of protection needs to be put in place. No effort is too small.
I created a script to pull deduplicated IPs from a threat feed, I'm trying to automate the import of these IPs into my own target list, has anyone been able to find the actual folder location for these target lists?
Good question. I was never able to find how to do what you are doing.even if you identify how to do this I suspect it wouldn’t persist through a reboot.
Much easier to create your own custome list for PiHole. That’s what we do.
Can you please share your script? Would like to add to my list maintained on Github at https://raw.githubusercontent.com/C0ntr07/Pi-Hole/main/Iranian_Russian_Ukrainian_IPs.txt
Sure! here's what I've been able to come up with
https://github.com/minitacoslayer/BadPackets_IP/blob/main/ThisDoesThings.py
I like the PiHole idea, from my understanding, it is only DNS traffic that gets sent through this though (for a home network would probably be good enough). After reading some comments above, I agree having a feature to sync with a github list would be amazing!
The lists in this article do not show up on my fwg. I'm on the beta version.
These are custom lists added to Pi-Hole
I mean the lists mentioned in the article (Online Meeting, Netflix Video)
Could someone please tell me: When I create a custom list, is it stored on Firewalla's server, or is it stored somewhere on the box itself as a text file?
This may seem like a stupid question to most of you, but I have seen some odd activities when using the Target List feature. I use the target list feature mostly to ALLOW certain traffic.I will provide an example list below.
*.amazon.com
*.a2z.com
*.amazonaws.com
However, it will still block the following:
compute-1.amazonaws.com
s3-w.us-east-1.amazonaws.com
api.amazon.com
arcus-uswest.amazon.com
My assumption was using the wildcard should allow anything associated with the listed domains. Would anyone be able to explain why my lists are working in this fashion?
Please sign in to leave a comment.