If you skim through the blocked flows of a Firewalla box in router mode, you'll see the vast majority are inbound flows that are blocked from accessing a WAN interface. However, if you go to the Rules page and tap the Ingress Firewall, the hit count may be much lower than the number of blocked flows on the WAN interface.
Every piece of inbound traffic is validated by two steps:
- STEP 1 - Check if this port is open on Firewalla WAN interface (either a Firewalla local service or port forwarded to a device in the local network). If there is no such open port, it will be blocked by Firewalla.
- STEP 2 - Check if this port is allowed by firewall rules. If there is no allow rule, it will be blocked by the, "Ingress Firewall" rule. This rule created by default during setup.
Most of inbound attempts (e.g. scan bots on the internet scans massive IP addresses for vulnerabilities) will be blocked in STEP 1, as the related ports are not open. Only traffic with destination port open on Firewalla WAN interface will be validated by STEP 2.
That's why you may see the hits number on rule "Ingress Firewall" may be significantly lower than the total number of blocked flows on WAN Interface.
Note: IPv6 usually won't have NAT enabled on WAN interface, so IPv6 inbound traffic may directly bypass STEP 1. If your network is mainly IPv6 traffic, the two numbers may be very close.
Comments
0 comments
Please sign in to leave a comment.