Control Network Access with Firewalla Rules
Firewalla Rules are powerful tools that make managing access and controlling traffic on your network simple. With just a few taps, you can easily:
- Block YouTube access on your kids' devices at a certain time every day
- Protect your network from gambling and porn sites
- Prevent risky devices from accessing your local network
- And much more!
How do I use Firewalla Rules?
Go to the Rules on your box's main page, and you'll find a list of rules and a summary of the hit count of all your rules. This is a new feature introduced in 1.55 Beta. Learn more in the App 1.55 release notes.
To create a new rule, tap Add Rule. You'll need to specify the following:
- Action: Allow or Block. Note that Allow rules take precedence over Block rules and Ad Block.
- Target: what you'd like your rule to block or allow. Firewalla supports blocking apps, IP addresses, domains, regions, Internet access, certain activities, and more.
- Device: which entities the rule applies to. You can select a single device, a device group, a network segment, or all devices.
- Schedule: the active time of a rule can be set as Always, One-Time Only, or Recurring following a daily or weekly schedule.
You can pause or delete a rule from the detail screen of any rule. Pause is useful when you'd like to disable a rule but you don't want to delete it completely. You can customize the duration of the pause.
Domain-only Blocking vs Default Blocking
When you create a rule to block a domain, Firewalla offers two Block Mode options:
- Default – in this mode, Firewalla will look beyond the domain to the IP address of the site, and intelligently block other related sites based on this information. Default blocks are immediate and will block traffic even if a flow has already started. (This mode may also block sites that share the same IP as the domain you are blocking.)
- Domain-Only – in this mode, Firewalla only blocks the domain specified in the rule. Due to how DNS entries are cached in operating systems, it may take a while for the block to take effect.
- Subdomain: In both cases above, a block/allow on a domain will also be applied to all subdomains.
In general, you should be using Domain-Only mode, as it is much "safer" and there's less risk that you'll block something you didn't mean to.
The Default Ingress Firewall
If you are running your unit in router mode, Firewalla will by default insert an ingress firewall to block anything that attempts to intrude into your network. Please do not delete or pause this rule.
The ingress firewall will not block network traffic originated from inside to outside.
What's the relationship between different rules?
Between all of Firewalla's features, you may sometimes have rules that conflict. When that happens, the priority of rules follows this hierarchy: Device > Group > Network > Global.
- Device/Group rules take precedence over network rules.
- Network rules take precedence over Global rules.
- At the same level, allow rules take precedence over block rules.
What's the relationship between ALLOW and BLOCK rules?
For rules on the same level or lower, ALLOW rules win over BLOCK rules. However, Allow rules will not win over Block rules at lower levels. This means:
- Allow rules at the Network level will not override blocks at the Device or Group level.
- Allow rules at the Device level will override blocks at the Device, Group, Network, and Global level.
What happens when a device joins a new device group?
- Any device-level rules will be removed and the device will adopt the rules defined at the group level.
- If a device leaves one group and joins another the rules for the new group apply.
This is part of our Firewalla Weekly Newsletter. You can sign up here https://firewalla.com/weekly.