One of Firewalla's major functions is managing your network traffic through features like Rules, Routes, and Smart Queue. These features require selecting a "target" and applying an action to a device, a group, or a network segment. Currently, to specify a target, the system only allows one IP/IP segment or one top-level domain. This can result in needing to make several rules if you have more than one target in mind. Many of you suggested we should use a list instead.
A Target List is a set of targets defined by domain (exact or all subdomains) or IP (exact or range). These lists can be used as a building block to create Rules or prioritize a group of targets. If you have a lot of Rules, this feature can help you organize them.
- Create your own Target List to simplify rules.
- Use an existing, built-in Target List.
Target Lists can be used with the following features:
- Rules: control access, content filtering
- Smart Queue: regulate traffic flow
- Policy & Content-based Routing: route of network traffic
- Alarms: mute alarms based on a Target List
- Target List Definition
- Create a Target List
- Update a Target List (via App)
- Create Rules/Smart Queue/Routes using a Target List
Target List Definition:
- Target Lists can only be created and managed using Firewalla MSP (including MSP Lite, Professional, and Business).
- Rules using Target Lists can be created/managed via the Firewalla MSP or App.
- Maximum items per Target List:
- MSP Lite: up to 200 items
- MSP Professional/Business: up to 2000 items
- Maximum number of Custom Target Lists:
- MSP Lite: up to 20 lists
- MSP Professional/Business: up to 100 total lists (including imported lists)
- Target Lists are not available on Firewalla Red.
Target List elements can have the following forms:
- Exact-match IP: e.g.
1.1.1.1 - IP Range in CIDR notation: e.g.
192.168.0.1/24 - Exact domain: e.g.
firewalla.com - All subdomains of a domain: e.g.
*.firewalla.com - All domains under a top-level domain: e.g.
*.xyz(Only a single leading*wildcard is supported.) - Specify ports: e.g.
firewalla.com:80,443-453or non sequential ports e.g. firewalla.com,tcp:80,443-445 - Specify protocol: e.g.
firewalla.com,tcp:80
Note: Firewalla MSP is the current web interface for managing advanced features. MSP Lite is the free version available to all users, previously known as My Firewalla or my.firewalla.com.
Create a Target List
- Built-in Target Lists
- Create a Custom Target List
-
Import a Target List on Firewalla MSP
- 3rd-Party Managed Lists
- GitHub Managed Lists (Experimental)
Built-in Target Lists
Log in to Firewalla MSP, click Target List on the left side, and you'll see a list of pre-built target Lists owned by Firewalla.
Firewalla maintains these list items. You can use them wherever Target Lists are accepted (Rules, Smart Queue, Routes, Alarm muting). Their definitions are proprietary.
Disclaimer: Some of these target lists are maintained by 3rd parties. We can not guarantee their correctness, nor can we influence the content of the list (e.g., crypto list, OISD, Tor).
| List Name | Description |
|---|---|
| Apple Private Relay |
Apple's iCloud Private Relay feature encrypts DNS requests. However, using it may mean that Firewalla has less information about network traffic, and some of your policies may not work as intended. This Target List blocks Apple's Private Relay Servers, banning their relay service and returning complete visibility to your Firewalla. |
Crypto List |
This Target List consists of known cryptocurrency mining sites and can be used to block cryptocurrency activities. |
DoH Services |
This is a list of well-known DNS-over-HTTPS (DoH) servers. Some browsers and Android devices (via the Private DNS feature) have built-in DoH services that encrypt DNS requests, which may get in the way of your rules and policies. You can block this list to prevent browser-based DoH and Android Private DNS from working, ensuring that your rules will function as expected. |
| DShield Block List | DShield.org is a collaborative cyber threat logging system. We recommend that you block this list. |
|
HaGeZi's Pro Blocklist (Early Access Boxes Only) |
This list blocks Ads, Affiliates, Tracking, Metrics, Telemetry, Phishing, Malware, Scams, Fakes, Coins, and other unwanted connections.
|
| Log4j Attackers | This is a list of known log4j attackers from a public list. |
| Newly Registered Domains | This list is updated frequently to help protect you from potential malicious sites that lack an established reputation. This will remain in beta mode until it is stable (Blocking NRD domains is still experimental, as they may create issues if a false positive happens). (New = last 14 days, does not include subdomains). |
| NSFW AI List |
NSFW stands for Not Safe For Work, typically referring to adult material. This is a small, manually curated list of known adult-focused AI chatbots. This list is only available for blocking rules. If you're interested in a larger and more community-driven list, please see our GitHub repository: https://github.com/firewalla/fw-public-lists |
| OISD | This OISD blocklist is a list of risky sites or sites that have unwanted content. You can read more at https://oisd.nl. |
| Tor Exit Nodes | A Tor exit node is the gateway between Tor encrypted traffic and the Internet. Blocking this list will block just these Tor nodes. |
| Tor Full Nodes | This list is of all Tor nodes. Be aware that this list is not just exit nodes. |
What are Newly Registered Domains?
Newly Registered Domains, or NRDs, are domains that have been newly registered in the past 14 days. It's a common security practice to block NRDs, as they can sometimes be used for phishing, malware, tracking, or other malicious activities.
Advantages of blocking NRDs:
- Stop phishing and scam campaigns. Attackers often register domains before launching scam attacks. Blocking NRDs can stop these scams before they reach you.
- Avoid accidental visits to fake sites. Some NRDs mimic legitimate domains using typos or similar-looking characters (like a "zero" instead of an "O"). Blocking NRDs can reduce accidental visits to these fake sites.
- Prevent command-and-control (C2) communication. Many malware infections rely on NRDs to communicate with remote servers. Blocking NRDs can stop infected devices from sending data or receiving commands.
However, there are some disadvantages of blocking NRD:
- Legitimate new services may be blocked. New startups, product launches, or marketing campaigns may be incorrectly blocked if they use a newly registered domain.
- Not all bad sites can be blocked. Blocking NRDs won't stop attacks that use older, compromised domains with good reputations.
Create a Custom Target List
All plans (MSP Lite, Professional, and Business) support creating a Target List.
To create your own, go to Firewalla MSP, click the Target List tab from the left navigation bar, then click the Create Target List button in the top right corner.
Security example: Here is an example of creating a Target List to identify some bad sites to avoid.
Target List Management
If you create a Target List on MSP Professional or Business, Target Lists are MSP-managed or Global. This means that they can be applied to any box in your MSP instance.
- Global Target Lists stay with the MSP instance, and are always managed by MSP. These don't get moved to the box if you remove the box from the MSP instance at a later time.
- If you cancel your MSP subscription, all MSP-managed target lists will be lost.
- Once a target list is made, "Managed By" cannot be changed.
If you create a Target List on MSP Lite (formerly my.firewalla.com), Target Lists are Box-managed. This means they can only be applied to that box.
- Target Lists created on MSP Lite are always managed by the Firewalla Box itself.
- If you later add this box to an MSP Inventory (with MSP Professional or Business), you can access Box-managed target lists under that single box view.
When managing target lists under the MSP All Boxes view, you can see all the lists managed by MSP and Firewalla. These lists can create rules across different boxes and box groups.
If you switch to the MSP single box view (by clicking the inventory dropdown at the top of the page), you can see all the lists owned by MSP, Firewalla, and the box itself. You can also use these lists to create rules.
Import a Target List on Firewalla MSP
Only MSP Professional and Business Plans support Importing Target Lists.
While Firewalla's Active Protect already has a lot of built-in security intelligence, at times, you may want to block more specific services that may not be categorized by Firewalla. (For example, crypto, or you may want to enhance Firewalla's Ad Block)
If you're looking for more control (beyond the default Firewalla security intelligence), you can use Firewalla MSP to import popular, open-source lists from external sources.
3rd-Party Managed Lists
To import a 3rd-party target list:
- On the left navigation panel, click on Target Lists.
- Click Import Target List.
- Select the lists you'd like, then click Import.
These lists are synced to your MSP instance regularly after being imported. Firewalla does not test external target lists imported from 3rd-party owners. The lists are imported exactly as published. See the list of supported target lists here.
Supported Imported Target Lists
Based on feedback from our surveys, these target lists are available to import. If there is any list you'd like us to add, please let us know via email at help@firewalla.com. You can also import additional Target Lists from GitHub.
| List Name | Source URL | License Link |
|---|---|---|
| AdGuard Base Filter | Link | License |
| AdGuard DNS Filter | Link | License |
| AdGuard Mobile Ads Filter | Link | License |
| Anudeep's Blacklist for Ads and trackers | Link | License |
| Block List Project | Link | License |
| GoodbyeAds | Link | License |
| HaGeZi - Multi Pro | Link | License |
| HaGeZi - Multi Pro++ | Link | License |
| Steven Black | Link | License |
GitHub Managed Lists (Experimental)
If the list you're looking for isn't available, you can also import Target Lists from GitHub. To regulate what lists can be imported, only lists that are available on fw-public-lists are supported.
- fw-public-lists is a Firewalla-managed GitHub repository of community-maintained optional blocklists and other datasets. It is open-source, and anyone can contribute to it.
- The target list can be a "list" or a link to a publicly available list.
- These lists are community-curated and may not be 100% complete or accurate. Use at your own discretion. Firewalla does not guarantee the behavior of third-party domains, nor does it mandate the use of these lists.
Lists from fw-public-lists will be marked with a yellow "Community" label and will be synced periodically.
- To contribute or request a specific External List, please see https://github.com/firewalla/fw-public-lists.
- We are not responsible for the content of any submitted list and do not verify whether a list is valid, accurate, compliant, or legally usable. All responsibility for the submitted content rests solely with the submitter. We reserve the right to remove any list at our discretion, including in cases of discrepancies, violations, licensing conflicts, usage restrictions, or quality issues.
- This feature will remain experimental, and if not enough users use it, we may disable it in the future.
Update a Target List (via App)
In addition to Firewalla MSP, on the Firewalla App, you can quickly add a domain or an IP address from a flow or an alarm to a Target List you've created.
For example, if you already have a rule that blocks a list of targets, adding a new domain to the Target List will automatically be updated to block the new target.
For MSP Professional and Business, different levels of App Access for MSP-managed target lists can be set to help you manage your Target Lists more easily.
For Professional MSPs, all MSP-managed target lists can be used on any box. This means you can create and edit rules with MSP-managed target lists from the MSP UI and the Firewalla app, just like you would with box- or Firewalla-managed target lists.
For Business MSPs, app access is divided into three types:
- Restricted: Same as before; MSP-managed target lists can only be used/edited on the MSP UI.
- Read-Only: The Firewalla app can create/edit rules using MSP-managed target lists.
- Editable: In addition to creating/editing rules, you can edit the MSP-managed target list by adding domains or IPs to it.
Create Rules/Smart Queue/Routes using a Target List
On the Firewalla App or Firewalla MSP, you can create rules matching Target Lists.
To see the number of targets, last update time, or notes of the Target List, just tap the "i" icon on the right side of any Target List to enter the detail page.
Example: Block iCloud Private Relay using pre-defined Target Lists
Apple iCloud Private Relay is one of the most exciting features in iOS 15 and macOS Monterey. It will encrypt and obfuscate your source IP address to protect your privacy while using Safari. This is perfect if you're using free Wi-Fi in a cafe or a store and want to protect your privacy.
Unfortunately, this encryption will also block devices like Firewalla from operating on the network to filter and audit traffic.
Besides turning off iCloud Private Relay directly on your Apple devices, Firewalla can disable this feature on your network by creating a BLOCK rule using the pre-defined Firewalla Target List called, "Apple Private Relay."
To create the Rule, go to Rules -> Add Rule -> set the target to Target List" Apple Private Relay" -> apply to any device -> Save.
You can also block a list of IPs or domains from accessing a certain port on your local devices by creating a rule matching a specific Local Port and a Target list.
Example: Prioritize traffic for online meetings
In addition to Firewalla's built-in Apps, you can create a Target List and put all the sites you and your company use for online meetings, then create a smart queue rule to prioritize the meeting traffic using the Target List.
- Smart Queue -> Smart Queue rules -> Add Smart Queue Rule
- Set a target -> Target List -> Online Meeting
- Apply it to any devices/network you might use for online meetings.
- Set the Priority to High.
- Save the rule.
Example: Route your Netflix traffic to a particular VPN
If you want all the Netflix traffic on your Apple TV to go to a 3rd party VPN, you can create a Target List with the primary domains Netflix is using, then create a policy-based routing rule using the Target List.
- Routes -> Add Route
- Set a target -> Target List -> Netflix video
- Select a device -> MyMac
- Select an interface -> 3rd party VPN
- Save the Route
Example: Mute Alarms based on a Target List
If you want to mute alarms from a list of IPs used by Ring services but don't want to create mute settings for each IP individually, you can create a Target List of those IPs and selectively mute alarms related to those IPs. Create your Target List, then configure your alarm settings.
- Alarms -> Alarm Settings
- Choose an alarm category -> Mute
- Tap Add Target List and select the Target List you created
- Apply the mute setting to the devices you want to mute the alarm for.
FAQ:
Do I need to import a security list for better security?
You do not have to. Behind Firewalla, an extensive list of security intel is already integrated with your box. This list is part of our Firewalla security intel. Please see https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
Since Firewalla's security intel is dynamic and actively managed, if you ever need an on/off switch in a list form that's part of your team/work/home policy, you can integrate it with the Target List.
Can I create and manage a Target List on the phone?
No, you can't; managing lists is a web-only function. Managing lists is a complex process, and mistakes can take time to debug.
Can I add to a Target list from Flows or Alarms?
Yes. When you tap on a domain in a Flow or Alarm you can add a domain or IP to an existing Target list.
I have a list that I think is good, can you integrate it?
Yes, please send your list to help@firewalla.com, or consider importing a Target List on Firewalla MSP.
We can only integrate some of the lists out there. Not all lists are equal– some are well-maintained, and some need a lot of work.
Why is the Target List limited to 200 elements?
The manual input lists are there for specific usage. For more extensive lists, it needs to be filtered and cleaned by the software and then imported. This means a cut/paste of a large list may work in a day or two. Without updating it, it may stop working a month out.
If you would like to create Target Lists with more items, check out Firewalla MSP's Professional or Business plans, which are designed for security and infosec professionals to easily manage multiple Firewalla boxes remotely.
Through Firewalla MSP Professional or Business, you can create Target Lists with up to 2000 elements, and create up to 100 different custom Target Lists.
Comments
42 comments
Will it be possible in future releases to be able to use wildcards in such a way that we can more specifically target subdomains? For example, instead of a target list entry "*.domain.com", which would match all subdomains, I'd like to use SQM with a target list entry that can match target1.domain.com and target2.domain.com. Having the ability to create a list entry of "target?.domain.com", where ? matches a single character, or even "target*.domain.com" would be great. Or, what would be even more powerful would be a way to match REGEX expressions to get even more precise, but I know that is a bigger ask and probably won't be as widely used.
So, we can also add our custom target list, nice feature.
Again, a new feature could be a sync with a github list like pi-hole does.
you add the github list like : https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
then firewalla fetch on a daily basis and apply this to the custom target list.
best,
I've noted this before- I think you'll be amazing, instead of having to manually enter a limited set of domains and keep them up-to-date, Use link to known block lists, such as the ones used in sinkholes like pi hole or AdGuard Home, all available in firewalla syntax, with automatic updates, where the systems pull the link every so often.
It's not only replacing the need for pi-hole, etc, and provides far more benefit. currently lists are target list are limited to 200 entries, due to the concern that overtime false positives were aggregate. however, These lists are constantly updated , there would be little risk in Maintaining large number of domains.
this would provides a unified view and granular control that sinkhole, which requires turbo DNS to intercept hard coalded DNS to be active, allowing to view queries coming from actual client versus Firewalla DNS ip, fully leveraging the hierarchy, providing unified view and granular control.
unlike AdGuard Home etc., different upstream the servers could be applied for different clients, including VPN client, allowing upstream DNS server to be VPN provider through tunnel, impossible with sinkhole.
Instead of Firewalla having to manage and probably pay for specific lists, they would be free and private, and huge value add.
With the built-in list, I see OISD.nl which is great for me, as it's what I use in PiHole, but...it's only the basic list (~65,000) which targets just ads. The fill list there is ~1.1 million and blocks malware/tracking etc.
I'm sure you know all this. Is the reason because the big list is too big, or because the "additional" 1 million sites should be caught by firewalla without the list (since they are "bad" sites). I don't want to turn off my PiHole and use the "basic" list if it increases the likelihood of anything getting on computers on the network. The full list has been great, but if it's not needed, I'd love to cut back to the smaller one.
If I want to block a domain and all subdomains, do I need to add two entires?
Eg:
google.com
*.google.com
So for target lists, I just need to enter the base domain, and all sub-domains will be automatically included. Is this also the case with domain-specific rules or do I still need to use wildcards there? Ideally, the syntax and scope should be consistent between features.
@Robert apparently, matching rules for single domains vs domains in target lists work differently.
To match a domain + any-level-subdomain you would use:
Bare domain in a target list will only match the bare domain.
Updated my original comment.
Hi, I would love to be able to have comments next to each whitelisted item. I whitelist any school or education-related websites for my kids and block everything else, so my main whitelist now has about 160 items. Problem is - I don't remember why I added certain hosts, so, when my kids no longer need a certain web site, I have no easy way of identifying its corresponding hosts and removing them, so the whitelist hygiene isn't great.
This is especially important, because many web sites / services require you to add multiple domains, and often times, just looking at the hostname on the whitelist, it's hard to remember why it is there.
I would love to be able to either have a free form "comment" field, or perhaps the name of the service / web site that each host is related to.
Thanks
The online meeting is just an example. It may have content for example from here https://support.zoom.us/hc/en-us/articles/201362683-Zoom-network-firewall-or-proxy-server-settings
The lists in this article do not show up on my fwg. I'm on the beta version.
Chris, can you explain or link to an explanation on the NordVPN in-bound exploit? By default, everything incoming is blocked. If you are using NordVPN, I can see how something might be possible, but if that's a concern I'd just stop using it.
Just like the "region" blocking and Pi-hole, unless you initiate a connection somewhere, a "response" or in-bound connection request from a random IP is blocked, right? So the outbound block essentially prevents the inbound.
These are custom lists added to Pi-Hole
I mean the lists mentioned in the article (Online Meeting, Netflix Video)
Could someone please tell me: When I create a custom list, is it stored on Firewalla's server, or is it stored somewhere on the box itself as a text file?
This may seem like a stupid question to most of you, but I have seen some odd activities when using the Target List feature. I use the target list feature mostly to ALLOW certain traffic.I will provide an example list below.
*.amazon.com
*.a2z.com
*.amazonaws.com
However, it will still block the following:
compute-1.amazonaws.com
s3-w.us-east-1.amazonaws.com
api.amazon.com
arcus-uswest.amazon.com
My assumption was using the wildcard should allow anything associated with the listed domains. Would anyone be able to explain why my lists are working in this fashion?
I am testing the latest beta which supports target lists editing/creation on the mobile app. Whilst it is now possible to add IPs/domains to a target list when creating a new rule, it doesn’t seem possible to “migrate” existing single IP/domain rules to a target list (new or existing). Would you be willing to consider adding also this functionality?
It is GREAT that you can mute alarms based on target lists! This is only true for personal box target lists. You can define target lists at the MSP-level, but:
- you cannot select an MSP-defined target list when creating a new setting; and,
- the MSP UI does not display target lists correctly when you view the alarm settings
I have here one question too. Not fully understand how it works in practice.
E.g. I have added 2 lines to block my SmartTV from sending out ads stats:
alphonso.tv
*.alphonso.tv
Questions:
@alex
1. These are duplicates. *.alphonso.tv should include everything including alphonso.tv
2 It should include xx.xxx.alphonso ....
3. when you see upload, tap on the flow, if you just see small number of bytes get send out and just one one, likely it is just linux accounting traffic problem.
what is the proper way to enter this url on the target list?
https://sites.google.com/view/iogames/home
i tried different ways but still getting target is invalid.
sites.google.com/view/iogames/home
*.google.com/view/iogames/home
sites.google.com/view/iogames/*.*
@YoavFreiberger, I assume your comment was a suggestion.
I strongly agree with the suggestion to allow Target Lists to auto-populate directly from externally hosted links. It would significantly improve the value of Target Lists and remove the need for a DNS-based solution like pi-hole.
In addition, DNS-based solutions don't help at all when raw IP addresses are used to bypass DNS lookups.
I recommend changing the text of the crypto list to be more clear and concise.
The way it reads now, it sounds like you're saying crypto mining sites are bad, but they aren't. Per the site that hosts the list, "Crypto / cryptojacking based sites
Can break normal “good” crypto sites." This is focused on malicious crypto-related sites and the list does not block legitimate crypto sites nor activities, as your statement suggests.
This could probably be fixed by adding the word "malicious" and removing the word "mining" (because it's really the wallets they are after whether one mines or not) so that it reads something like
"This Target List is used to block known malicious cryptocurrency sites."
I would love the ability to create and manage the target list completely from the app without requiring the web interface for initial creation. With that change, the advanced feature of target lists becomes more powerful for simple app users, while more advanced users can use the web interface.
Is there a way to create a target list with an API?
https://docs.firewalla.net/api-reference/target-lists/
I wrote an app that updates my <20 TLs with ips/urls I get from blocklists online.
Chat GPT should help. Just paste in these examples.
You still have to manually link them to your Rules.
Is there any way to create custom alarms based on a target list without also blocking? For example, “Device” is accessing “target IP/domain” but still allowing the flow. This would be very useful.
I’m seeing seven built in target lists (FWG) today. Only two listed in this article. Please update with short descriptions of each. Thanks!
@John, it works with domains as well. (see the example, facebook[.com is on there)
Target lists do not seem to work if you apply it to "All Devices".
If Applied to a network then it works...
@Shawn, target list should work on all devices, just created a ticket, so our developers can follow up with you.
I think I put the same request months ago and still waiting to see in action.
1. Ability to use wild characters in target list
2. Ability to assign single rule to multiple devices (grouping doesn't solve the requirement).
Looks like hard to code.....
Please sign in to leave a comment.