Create Port Forwading on Gold/Purple

Follow

Comments

8 comments

  • Avatar
    firewalla

    Hi. Can you change the example port mapping to use a different external vs internal port ?

    It's not clear which port number is being used in the Rule you create.

     

    Thanks.

    1
    Comment actions Permalink
  • Avatar
    Geoff Akens

    First, thanks for adding this feature.  It's very useful for self-hosting services behind the Cloudflare DNS proxy.  With this option, I can now limit access to my server to ONLY Cloudflare IP addresses.

    When setting this up, I noticed a bug (I think), and have a suggestion for how the feature could be improved.

    Bug:  I needed to configure rules for every Cloudflare IP range, and for both TCP/80 and TCP/443 (a total of 42 rules).  Adding this many rules is tedious from a phone interface, so I used the web interface.  However, the rules created by the web interface are outbound only, when I wanted inbound only rules.  The web interface does not seem to have a way to specify whether the rule should be inbound or outbound.  I had to use the phone interface to update the rules to be inbound only.

    Improvements:

    1.  Allow multiple ports per rule (i.e. 80, 443).  Currently, I can only add either a single port or a port range.

    2.  Allow custom regions.  It would be nice to be able to create a custom "Cloudflare" region with all of the Cloudflare IP ranges, and then just create a single rule allowing traffic from that region.

    1
    Comment actions Permalink
  • Avatar
    Raul

    @Geoff

    Just set up my Firewalla Purple and I also ran into that same bug with Outbound only rules using the Web GUI. I've found that the Web GUI is very limited in functionality. I've been using it just for reporting/graph purposes. Hopefully the Firewalla team invests more time in the Web GUI when they have the resources.

    Otherwise, amazing product, still tinkering and finding new ways to secure my app-heavy network.

    0
    Comment actions Permalink
  • Avatar
    Ben Smith

    While this article is great, if the device (ie. MyMac) is in a group, how to you select this device? I put all my devices into different groups, so step here "applied the rule to Device MyMac." doesn't work, unless I'm missing something, I can find no way to select a device (ie. my server) which is in a group.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Ben Currently, if your device is added to a group, there will be a limit on our app that only allows you to apply rules to the entire group. But I do see the reason why a rule with the local port specified should be a special case. I'll forward your comments to the team and see if we can support this type of rules in future updates. 

     

    1
    Comment actions Permalink
  • Avatar
    Raul

    @Firewalla, add my support for this as well! I had to remove a device from a group due to not being able to add a device-specific local port rule to a device due to being part of a group.

    1
    Comment actions Permalink
  • Avatar
    Eric Flores

    Please correct me if I'm wrong, but as I understand this article, enabling 'Allow on Firewall', as special as it sounds, is the normal NAT behavior from other routers. Right?

    Disabling it can be used to specify a source using rules now, but the implementation will improve in the future.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    "Alow on Firewall" is a firewall rule, not a NAT configuration. When it's disabled, the NAT mapping will still be established, but the firewall will block all traffic by default.

    As you said, with "Allow on Firewall" disabled, you can use Rules to specify what source can access the port. If "Allow on Firewall" is enabled, basically it allows everywhere to access the port.

    0
    Comment actions Permalink

Please sign in to leave a comment.