For Firewalla boxes that are running in router mode, if you skim through the blocked flows in the networks flows, you will see the vast majority are flows being blocked from accessing WAN interface. On the flow detail page, the interface is the WAN interface. But if you go to rules page and tap the "Block Traffic from the Internet" rule on all devices, the hits number may be much less than the number of blocked flows on the WAN interface.
For every inbound traffic, it will be validated by two steps:
- STEP 1 - If this port is open on Firewalla WAN interface. (either a Firewalla local service or port forwarded to a device in the local network). If there is no such open port, it will be blocked by Firewalla
- STEP 2 - If this port is allowed by firewall rules. If there is no allow rule, it will be blocked by rule "Block Traffic from the Internet". This is a rule created by default during setup.
Most of inbound attempts (e.g. scan bots on the internet scans massive IP addresses for vulnerabilities) will be blocked in STEP 1, as the related ports are not open. Only traffic with destination port open on Firewalla WAN interface will be validated by STEP 2.
That's why you may see the hits number on rule "Block Traffic from the Internet" may be significantly lower than the total number of blocked flows on WAN Interface.
Note: IPv6 usually won't have NAT enabled on WAN interface, so IPv6 inbound traffic may directly bypass STEP 1. If your network is mainly IPv6 traffic, the two numbers may be very close.