One of the major functions of the Firewalla is to manage traffic on your network, such as "rules", "routes" and "smart queue". All of these features require matching a "target" and applying an action to a device, a group, or a network segment. At the moment, to specify a target, the system only allows one IP/IP segment or one top-level domain. This results in more complex rules. Many of you suggested we should use a list instead.
Introducing Target List
A target list is a set of targets defined with domain(exact or all subdomains) or IP(exact or range), which can be used as a building block to create rules or prioritize a group of targets. If you have a lot of rules, this feature can help you to better organize them.
Firewalla Target List feature will allow you to
- Create your own target list to simplify rules.
- Use an existing pre-created list
Target Lists can be used with the following features
- Rules: access control, content filtering
- Smart Queue: regulate traffic flow
- Policy & Content-based Routing: routing of network traffic
Target List Definition:
- Target Lists can only be created and managed using the Firewalla Web interface
- Rules using Target Lists can be created/managed via the Firewalla Web or App
- Target List items for this version is restricted to 200 items
- Element of target list support following forms
- Exact-match IP - 220.127.116.11
- IP Range in CIDR notation - 192.168.0.1/24
- Exact-match domain- firewalla.com
- Match-all subdomains - *.firewalla.com
(ONLY support the exact form of a single '*.' before the domain name)
- You can only create up to 20 target lists
- Target List is NOT available on Firewalla Red.
Create Target List on Firewalla Web
Login to Firewalla web, click Target List on the left side, you'll see a list of pre-built target Lists owned by Firewalla.
Built-in Target Lists
These list items are maintained by Firewalla and you can use them where target lists are accepted (rules, smart queue, routes), while their definitions are kept proprietary.
|Apple Private Relay||
Apple's iCloud Private Relay feature encrypts DNS requests. However, using it may mean that Firewalla has less information about network traffic and some of your policies may not work as intended. This target list blocks Apple's Private Relay Servers, banning their relay service and returning full visibility to your Firewalla.
This target list consists of known cryptocurrency mining sites and can be used to block cryptocurrency activities.
DShield Block List
DShield.org is a collaborative cyber threat logging system. We recommend that you block this list.
|DoH Services (beta)||
This is a list of well-known DNS-over-HTTPS (DoH) servers. Some browsers have built-in DoH services that encrypt DNS requests, which may get in the way of your rules and policies. You can block this list in order to prevent browser-based DoH from working and ensure that your rules will function as expected.
|Tor Exit Nodes||
A Tor exit node is the gateway between Tor encrypted traffic and the Internet. Blocking this list will block just these Tor nodes.
|Tor Full Nodes||
This list is of all Tor nodes. Be aware that this list is not just exit nodes.
This is a list of known log4j attackers from a public list.
Create your Target Lists
To create your own, click the Create Target List button in the top right corner.
Security example: Here is an example where you can create a target list to identify the "Purple Fox" malware's command and control sites.
Parental Control Example: You can also create specific sites like "gaming" for kids.
Update a Target List
In addition to the web interface, on the Firewalla app, we've supported the ability to quickly add a domain or an IP address from a flow or an alarm to a target list you've created.
For example, if you already have a rule that blocks a list of targets, by simply adding a new domain to the target list, the rule will be updated automatically to block the new target.
Create Rules / Smart Queue/ Routes using Target List
On both Firewalla App and Web Interface, when you create a rule, a smart Queue rule, or a policy-based routing, you can choose to match a target list.
You can view the detail of the target list on the Firewalla App by tapping the "i" icon on the right side of any target list.
Example: Block iCloud Private Relay using pre-defined Target Lists
Apple iCloud Private Relay is one of the most exciting features coming in iOS 15 and macOS Monterey. It will encrypt and obfuscate your source IP address to protect your privacy while using Safari. This is perfect when you are using free Wi-Fi in a cafe or a store and you want to protect your privacy.
Unfortunately, this encryption will also block devices like Firewalla from operating at the network to filter and audit traffic.
Besides turning off iCloud Private Relay directly on your Apple devices, Firewalla has a way to disable the use of this feature on your network by creating a BLOCK rule using the pre-defined Firewalla target list called “Apple Private Relay”.
To create the rule, go to Rules -> Add Rule -> set the target to Target List " Apple Private Relay" -> apply to any device -> Save.
You can also block a list of IPs or domains from accessing a certain port on your local devices, by creating a rule matching a certain Local Port and a Target list.
Example: Prioritize traffic for online meetings
In addition to Firewalla's built-in Apps, you can create a target list and put all the sites you and your company are using for online meetings, then create a smart queue rule to prioritize the meeting traffic using the target list.
- Smart Queue -> Smart Queue rules -> Add Smart Queue Rule
- Set a target -> Target List -> Online Meeting
- Apply it to any devices/network you might use for online meetings.
- Set the Priority to High.
- Save the rule.
Example: Route your Netflix traffic to a certain VPN
If you want all the Netflix traffic on your Apple TV to go to a 3rd party VPN, you can create a target list with the primary domains Netflix is using, then create a policy-based routing rule using the target list.
- Routes -> Add Route
- Set a target -> Target List -> Netflix video
- Select a device -> MyMac
- Select a interface -> 3rd party VPN
- Save the Route
Do I need to import a security list for better security?
You do not have to. Behind Firewalla, there is a "huge list" already integrated with your box. This "huge list" is part of our Firewalla security intel. Please see https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
Since firewalla security intel is fairly dynamic and managed automatically by Firewalla, if you ever need an on/off switch in a list form that's part of your team/work/home policy, you can integrate it with the target list.
Can I create and manage Target List on the phone?
No, you can't, managing lists is a web-only function. Managing lists is a pretty complex process, any mistake is going to be much harder to debug.
I have a list that I think is good, can you integrate it?
Yes, please send the list/pointer to list, to firstname.lastname@example.org
We can not integrate every list out there. The reason is, not all lists are equal, some are well maintained, and some need a lot of work.
Why is the target list limited to 100 elements?
The manual input lists are there for specific usages. For larger lists, it needs to be filtered and cleaned by the software and then imported. This means, a cut/paste of a large list may work in a day or two, without updating it, it just may not work a month out.