Firewalla Feature: Target Lists

Follow

Comments

41 comments

  • Avatar
    John Varughese

    Will it work only on ip address or will work with site names also?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @John, it works with domains as well. (see the example, facebook[.com is on there)

    0
    Comment actions Permalink
  • Avatar
    Shawn H

    Target lists do not seem to work if you apply it to "All Devices".

    If Applied to a network then it works... 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Shawn, target list should work on all devices, just created a ticket, so our developers can follow up with you. 

    0
    Comment actions Permalink
  • Avatar
    Matt Niswonger

    Will it be possible in future releases to be able to use wildcards in such a way that we can more specifically target subdomains?  For example, instead of a target list entry "*.domain.com", which would match all subdomains, I'd like to use SQM with a target list entry that can match target1.domain.com and target2.domain.com.  Having the ability to create a list entry of "target?.domain.com", where ? matches a single character, or even "target*.domain.com" would be great.  Or, what would be even more powerful would be a way to match REGEX expressions to get even more precise, but I know that is a bigger ask and probably won't be as widely used.

    2
    Comment actions Permalink
  • Avatar
    John Varughese

    I think I put the same request months ago and still waiting to see in action.
    1. Ability to use  wild characters in target list
    2. Ability to assign single rule to multiple devices (grouping doesn't solve the requirement).

    Looks like hard to code.....

     

    0
    Comment actions Permalink
  • Avatar
    Robert

    If I want to block a domain and all subdomains, do I need to add two entires?
    Eg:
    google.com
    *.google.com

    2
    Comment actions Permalink
  • Avatar
    Robert

    So for target lists, I just need to enter the base domain, and all sub-domains will be automatically included. Is this also the case with domain-specific rules or do I still need to use wildcards there? Ideally, the syntax and scope should be consistent between features.

    0
    Comment actions Permalink
  • Avatar
    mozarella

    Target lists are not available with firewalla red?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @mozarella target list is supported on the blue/blue+/gold/purple 

    0
    Comment actions Permalink
  • Avatar
    Leonid Makarov

    @Robert apparently, matching rules for single domains vs domains in target lists work differently.

    To match a domain + any-level-subdomain you would use:

    • bare domain (example.com) for single domain rules
    • wildcard (*.example.com) in target lists

    Bare domain in a target list will only match the bare domain.

    Updated my original comment.

    1
    Comment actions Permalink
  • Avatar
    Robert

    @Leonid Thanks for checking. This inconsistency may be why my allow lists didn't seem to be working.

    0
    Comment actions Permalink
  • Avatar
    ColoRock

    I’m seeing seven built in target lists (FWG) today. Only two listed in this article. Please update with short descriptions of each. Thanks!

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    With the built-in list, I see OISD.nl which is great for me, as it's what I use in PiHole, but...it's only the basic list (~65,000) which targets just ads. The fill list there is ~1.1 million and blocks malware/tracking etc.

    I'm sure you know all this. Is the reason because the big list is too big, or because the "additional" 1 million sites should be caught by firewalla without the list (since they are "bad" sites). I don't want to turn off my PiHole and use the "basic" list if it increases the likelihood of anything getting on computers on the network. The full list has been great, but if it's not needed, I'd love to cut back to the smaller one.

    2
    Comment actions Permalink
  • Avatar
    Ben Smith

    +1

    Agreed with Rich T. My PiHole monitored the full list too, plus others more specific to different categories (ie. crypto mining etc).

    It would be good if FW had way more lists we could use (Full and Basic versions), or we have the ability to add our own list URL's.

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    I think we need the ability to add larger lists.  We also need to be able defang IP addresses and URLs.  To be able to enter defanged entries that Firewalla enables for filtering behind the scenes.  For example:

    • 218[.]108[.]149[.]373
    • 192[.]251[.]68[.]254
    • hxxps://compute.e-corp-usa.com/
    • www[.]e-corp-usa[.]com

    See: https://inquest.readthedocs.io/projects/iocextract/en/latest/
    and my other comment at  https://help.firewalla.com/hc/en-us/articles/1500003524781?page=1#comment_4966873945107 

    0
    Comment actions Permalink
  • Avatar
    msdaf97sda90f

    what's behind the "online-meetings" target list ? which websites ? there's a way to change this ?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The online meeting is just an example. It may have content for example from here https://support.zoom.us/hc/en-us/articles/201362683-Zoom-network-firewall-or-proxy-server-settings

    1
    Comment actions Permalink
  • Avatar
    msdaf97sda90f

    So, we can also add our custom target list, nice  feature. 

    Again, a new feature could be a sync with a github list like pi-hole does. 

    you add the github list like : https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt

    then firewalla fetch on a daily basis and apply this to the custom target list. 

    best, 

    2
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    This is a great feature. It would be great to have more than 200 entries because there are a lot of bad actors working on malicious attacks. For example my list of Russian, Ukrainian, Iranian, and NordVPN IOA and IOC URLs and IPs is about 5,300 entries today.

    My workaround is to create a list that I add to Pi-Hole - but his protects against outbound only. This is my current list shared in an effort to keep the Firewalla community safe during the current geopolitical situation.

    https://raw.githubusercontent.com/C0ntr07/Pi-Hole/main/Iranian_Russian_Ukrainian_IPs.txt

    The NordVPN in-bound blocks are critical. We have found - in coordination with law enforcement - that there are attacks exiting from NordVPN’s network. The “group” is using NordVPN exit points to bypass “impossible travel” check protections. This has lead to success MFA compromise. There are just over 3,000 such IP addresses and want to block them on all of our, and our clients, Firewalla Golds. THIS is why the 200 entry limit needs to be removed unless it’s in place for performance reasons.

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    Chris, can you explain or link to an explanation on the NordVPN in-bound exploit? By default, everything incoming is blocked. If you are using NordVPN, I can see how something might be possible, but if that's a concern I'd just stop using it.

    Just like the "region" blocking and Pi-hole, unless you initiate a connection somewhere, a "response" or in-bound connection request from a random IP is blocked, right? So the outbound block essentially prevents the inbound. 

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    *** Actually @Rich T, you are absolutely correct. Everything inbound is blocked - too much going on here.  So the need to block in-bound per my list isn't really needed. Silly of me! Let me think more about that.  It's not the use of by staff or internal people, it's evil doers accessing public websites and exposed services that is the risk.


    NordVPN has been confirmed as being used by "hacker groups" to execute attacks.  Many systems identify a users IP address and the geolocation of that address prior to permitting access. One test is if the distance between the geolocation of IP addresses between  sequential access attempts is a realistic time/distance possibility.

    For example, if I log in from Washington, DC and ten minutes later "I" am logging in from Moscow (Russia and not one of the 20 US "Moscows").  It is not possible to travel from Washington DC to Moscow in ten minutes.  Such an access attempt can then be blocked.

    To get around this, evil doers use VPNs (and NordVPN at a much higher rate than any other) to get around this. Use a NordVPN (or any VPN) that exits in Washington DC and then, in this example, this security protection isn't effective.

    This is, in part, how Microsoft's vendor's contractor was compromised even when using MFA.  The threat I am trying to address is related to MFA access to internal services.

    Blocking in-bound VPN IP addresses is a prudent protection these days.

    We, and my clients, are actively being scanned and attacked and every layer of protection needs to be put in place.  No effort is too small.

    0
    Comment actions Permalink
  • Avatar
    Moeller

    I created a script to pull deduplicated IPs from a threat feed, I'm trying to automate the import of these IPs into my own target list, has anyone been able to find the actual folder location for these target lists?

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    Good question. I was never able to find how to do what you are doing.even if you identify how to do this I suspect it wouldn’t persist through a reboot.

    Much easier to create your own custome list for PiHole. That’s what we do.

     

    Can you please share your script? Would like to add to my list maintained on Github at https://raw.githubusercontent.com/C0ntr07/Pi-Hole/main/Iranian_Russian_Ukrainian_IPs.txt

    0
    Comment actions Permalink
  • Avatar
    Moeller

    Sure! here's what I've been able to come up with
    https://github.com/minitacoslayer/BadPackets_IP/blob/main/ThisDoesThings.py

    I like the PiHole idea, from my understanding, it is only DNS traffic that gets sent through this though (for a home network would probably be good enough). After reading some comments above, I agree having a feature to sync with a github list would be amazing!

    0
    Comment actions Permalink
  • Avatar
    Palta

    The lists in this article do not show up on my fwg. I'm on the beta version. 

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    These are custom lists added to Pi-Hole

    0
    Comment actions Permalink
  • Avatar
    Palta

    I mean the lists mentioned in the article (Online Meeting, Netflix Video)

    0
    Comment actions Permalink
  • Avatar
    Ash Hartman

    Could someone please tell me: When I create a custom list, is it stored on Firewalla's server, or is it stored somewhere on the box itself as a text file?

    0
    Comment actions Permalink
  • Avatar
    Nathan Thee

    This may seem like a stupid question to most of you, but I have seen some odd activities when using the Target List feature. I use the target list feature mostly to ALLOW certain traffic.I will provide an example list below.

    *.amazon.com
    *.a2z.com
    *.amazonaws.com

    However, it will still block the following:

    compute-1.amazonaws.com
    s3-w.us-east-1.amazonaws.com
    api.amazon.com
    arcus-uswest.amazon.com

    My assumption was using the wildcard should allow anything associated with the listed domains. Would anyone be able to explain why my lists are working in this fashion?

    0
    Comment actions Permalink

Please sign in to leave a comment.