When you are creating a port forwarding in NAT, you will have the option to "allow on Firewall". This option controls how the open port is managed.
What does "Allow on Firewall" mean?
On Firewalla Gold, for each port forwarding rule (Network -> NAT Settings -> Port Forwarding), you'll find a Firewall setting at the bottom, called Allow on Firewall. If it is turned on, there will be an allow rules created in Rules, to allow "everything" outside of your network to access the port.
When the Allow on Firewall option is turned on, the port you just created will be accessible by anyone from outside.
How to limit access to my local ports?
As of App release 1.45, Firewalla is supporting rules matching the combination of Local Port + Remote Target. It means you can manually create an Allow Rule to allow certain remote IP Addresses or even a certain Region to access a specific Local Port while keeping the "Allow on Firewall" option turned off in Port forwarding.
If you have a web server running, you can now allow traffic from the United States to access your web server on your Mac.
Step 1: Go to Network -> NAT Settings -> Port Forwarding -> Add Port Forwarding, forward the port TCP 8853 on your device MyMAC to the external port 8853.
Step 2: Make sure Allow on Firewall is turned Off for the port forwarding.
Step 3: Go to Rules -> Add Rule, create an Allow rule matching local port TCP 8853 and Region United States, applied the rule to Device MyMac.
Is my device still be protected by Firewalla security protection?
Yes. Security rules and policy rules always have the highest priority in our system. The allow rules on the local ports will not bypass the security rules.
In the future release, we are going to integrate the option to specify source in the port forwarding UI, so it will be more intuitive and easy to use.