Firewalla Rules can be used to manage access control traffic on your network and devices. The targets for the rules can be Applications, Target Lists, Categories (gaming, adult, video), Network flows (IP, domain, port), regions, Internet, or Local Network.
- Definition of Rules
- Rules List
- Default Rules
- Create a Rule
- Pause / Delete a Rule
- Add/Remove Rules at the Device Level
- Block from Alarms
- Rule Stats
- Layered Logic in Rules
- Direction in Rules
- Managing Network Segments with Rules
- How to troubleshoot blocked sites
- How to block applications using rules
- Limiting Access over VPN with Rules
Definition of Rules
A rule defines how you want to control network access for one or more devices. A rule has four basic elements: action, target, device, and schedule. It can be interpreted as the following:
Take an action on matching target(s) and apply to device(s)
following a schedule
For example, if you want to block YouTube access on Kids' Laptop between 7-9 PM every day, you define a rule like this:
Action: block
Target: YouTube
Device: Kids' laptop
Schedule: 7-9pm daily
Rules List
All user-defined rules are shown on the Rules screen under Home > Firewalla > Rules. Rules can be created as above, or when you use the control buttons on the device home screen, such as blocking/allowing all gaming sites, a rule will be automatically created and appear on the Rules list.
Default Rules
If you are running your unit in router mode, Firewalla will by default insert a "stateful" firewall to block anything that attempts to intrude into your network. Please do not delete or pause this rule.
In addition to the default ingress firewall, Firewalla will set some default rules through Active Protect, our built-in Intrusion Detection/Prevention Service. Active Protect automatically detects, blocks, and alerts you of suspicious connections. Read more about Active Protect.
Create a Rule
To create a new rule, go to the Home screen > Firewalla > Rules > Add Rule. You'd need to specify the following:
1. Action
Action can be one of the following:
- Allow
- Block
Allow rules at the same level will always take precedence over Block rules and Ad Block features. When applied, these rules are like exceptions to blocking rules, which apply to everything (Learn more about the direction in allow rules).
However, Allow rules do not override the Family Protect (3rd party) and Safe search features.
2. Target and Target Category
You can choose target(s) to allow/block based on one or a combination of the following items:
- Application
- Target List
- IP Address
- Range of IP Address
- Domain name
- Remote port
- Local port
- Region
- Local Network (Firewalla Gold and Purple only)
- Internet (all internet sites)
Application: The App list is sorted alphabetically, and it will be continually updated. Only blocking rules are supported when matching Applications.
Target List: You can create a list of domains or IPs and then use that list to allow or block all of the items in that list. See Target Lists for more details.
Domain Name: You can define the target as a domain (e.g., abc.com) or subdomain (e.g., x.abc.com).
- When you block a domain, all subdomains and IP addresses mapped to the domain and subdomains are blocked as well. (e.g., "google.com" would also block "images.google.com")
- Blocking TLD (top-level domain) can be done by using the wildcard notation, such as blocking all *.adult or *.country (e.g. "*.ru")
- There are two settings:
- Default: If two different domains map to the same IP address, then blocking one would cause the other, seemingly unrelated domain to be blocked as well.
- Domain-Only: Less restrictive option won't accidentally block other domains hosted on the same IP. Still, some applications may access servers by IP address rather than domain, so the rule may not work as intended.
IP Range: You can define a group of IP addresses by specifying an IP range in CIDR notation (e.g. 192.168.100.14/24)
Remote Port: Think of this as egress or outbound traffic. You can block/allow certain applications outbound access using a port or a range of ports. For example, blocking remote ports 6881-6889 will block p2p traffic (typical p2p traffic uses these ports).
You can also create Rules matching the combination of a Domain/ IP address / IP range and Remote Ports. Specifying protocol is also supported. If no protocol is specified both will be included.
This is often be done in combination of a, "Block all traffic" rule with an Allow rule a specific port.
Local Port: Think of this as ingress or inbound traffic. You can block/allow others from accessing local services by specifying Local Port + Remote Target. For example, if you have a web server running, you can now create a rule to allow traffic from any region to access a certain port on your web server.
Local ports can also be used to allow or block traffic matching port(s) from local networks
on device(s) by LAN, Group, or device).
Local Network: On Firewalla Gold or Purple series boxes, you can block traffic between local networks by selecting any local network -> Traffic from/to the local network, then apply the rules to another network or device.
Here are more details on How to use rules to segment your network.
Internet Block: You can block traffic from the Internet, to the Internet, or both from and to the Internet. With app release 1.53, you can select the DNS Blocking option for rules matching "Traffic from & to Internet" or "Traffic to Internet" to help you block all DNS requests in addition to other connections between a device and external hosts. You can see a video tutorial here.
Target Category
You can also choose from a set of system-managed target categories. The following categories are supported:
- Gaming
- Social
- Video
- Porn
- P2P
- Gambling
- Shopping
- VPN
Each category contains a list of domains or IP addresses associated with specific types of activities. Firewalla automatically populates the list in each category by learning the traffic in your network, but you can also view and edit the list manually.
The list of target categories can be found on the Target screen. Tap on the "i" icon next to a category, and you will see all its included targets. Tap on "+" to add a new target, or tap on an item to see the delete option.
For example, you've blocked "All Video Sites" for your phone, but the iTunes Apple store is automatically included. If you want to be able to access the iTunes Apple store, you can simply remove this destination from the All Video Sites category.
3. On
Once you've defined the target, you can choose which device(s) to apply the rule. You can select:
- a single device
- a device group
- a network segment (Firewalla Gold and Purple series boxes only)
- or all devices
4. Schedule
The active time of a rule can be set as:
- "Always" (never expires unless deleted)
- "One-Time-Only" (expires after configured time)
- Recurring following a daily or weekly schedule
For example, if you want to block Kids' Laptop from accessing Facebook every weeknight from 9 PM to 7 AM (the next day), you can create a new rule:
- Block
- Target: "domain" -> "facebook.com"
- block mode: Default
- Device: Kids' Laptop
- Schedule: "every week, Monday through Friday, from 9 PM to 7 AM (next day)"
Pause / Delete a Rule
You can pause a rule from the rules detail screen. Pause is useful when you'd like to temporarily disable the rule without having to delete or reschedule the rule.
To customize the duration when pausing rules, tap Pause Rule > Custom… > pick any duration > tap Done. A rule can also be paused for "Today," which means it will be paused until the end of the day.
"Always Pause" will keep the rule in place, but it will be inactive until you Resume it.
To delete a rule, tap Delete on any rule's detail page.
A deleted rule cannot be recovered or reactivated and has to be created from scratch if you need it again.
Manage Rules at the Device/Group/Network Level
You can easily block/unblock internet access for a device. On the device detail screen, there is a set of control buttons. You can block all internet access on this device or only block certain categories of access (e.g., Games, Social, Video activities). The button can cycle through "Block off" (unblock), "Block for 1 hour" (temporary block), and "Block on" (permanently block) with each tap.
All blocking rules activated by the control buttons will also appear under the Rules listing screen. You can also create additional rules on this device by tapping the "+" icon.
Block Rules Created from Alarms
When you receive an alarm, you'll see an option to "Block" under the alarm summary. Depending on the type of alarm, you may see multiple options under Block. In the following example, you can either block the specific domain or the type of activity (Gaming) altogether. Depending on your selection, a new rule will be created. You can view and manage the rule on the Rules screen.
Rule Stats
To help you better understand how effective your rules are, we show you statistics about how many flows are hit by a certain rule. On the main rules page, you'll see a summary bar at the top of the Rules page showing you the total hit count of all Allow and Block rules.
Additionally, there is a rule stats section for each rule. In addition to telling you how many flows have triggered the rule, this section also shows when the last hit happened. You can tap on the "Reset rules stats" text button to reset the stats for each rule separately.
Note: If you do not have any port forwardings set up, all incoming requests will be blocked before checking rule hit count, causing the hit count for your inbound blocking rule to be 0.
Layered Logic in Rules
The operational state of network access on a particular device can be determined by multiples rules defined at different layers:
- Rules for the device itself
- Rules for the Group that includes the device belongs to, if any
- Rules for the network segment where the device is connected (Firewalla Gold and Purple series boxes only)
- Global rules apply to all devices
A network segment is a special device group. Its group membership is dynamic based on physical connectivity. Rules defined for a network segment will apply to devices connected to that segment. If a device leaves network, "LAN" and joins network, "IoT" rules for network, "LAN" will no longer apply to this device but any rules defined for network, "IoT" will apply.
Device group membership is static. Group rules apply to all member devices regardless of which network segment the device is connected to.
To avoid messing up the whole network by mistake, it only supports applying internet blocking on some devices.
Rules Logic
The logic for rules processing is the following:
- All previously defined device-level rules will be removed when a device joins a group. The device will adopt the rules defined at the group level (block rules can still be created at the device level from alarms and network flows).
- If a device leaves one Group and joins another the rules for the new Group apply.
- A device or device group will inherit the Network and Global rules if there is no conflict.
When there is conflict between rules:
The priority of different levels is Device > Group > Network > Global. Meaning when there is a conflict:
- Device/Group rules take precedence over network rules.
- Network rules take precedence over Global rules.
- At the same level, allow rules take precedence over block rules.
One exception: inbound allow rules will take effect after going through all block rules except inbound blocking on all devices.
Examples
- If you have a rule that allows a domain globally but another rule that blocks the Internet on a specific device, that device will not be able to access that domain. The priority here is Device > Global.
- On a device, if you have one rule that allows the region US and another rule that blocks YouTube, that device will still be able to access Youtube because traffic to the entire region (including where YouTube is hosted) is allowed. The priority is Allow > Block on the same level.
- If a network has a rule to block All Gaming Sites, then all devices in the network will have games blocked because devices inherit rules from the network it belongs to when there is no conflict.
- If a network has a rule to block All Gaming Sites, but a device (or a device group) in that network has a rule to allow nintendo.com, that device can play games on nintendo.com. When there is a conflict, the priority is Device > Network.
- If a network has a rule to block Traffic from the US, but a device in that network has a rule to allow Traffic from the Internet on a local port, US traffic can't connect to that device via that port.
WARNINGS
- If you block a domain in default mode, other domains may also be blocked due to both domains being hosted at the same IP. You can find more details here: How does Firewalla block domains?
- Please be careful when you block Regions. The Internet and its data centers are distributed across the world.
Example: "firewalla.com" is based on Shopify, and Shopify is in Canada. Since many shops use Shopify, you will likely need help shopping if you block Region: Canada. - Port-based and Regional targets are fairly large. Please try not to use them to "allow" or give an exception to your rules. Please take a look at this article for a better way to do port opens.
- Allow rules are always like exceptions. For example, if you block YouTube and ALLOW the USA region, the YouTube block will not take effect since Youtube is in the USA, which is an exception.
Direction in Rules
Firewalla allows directional ALLOW rules. The direction for allow rules can be:
- Outbound only: This is the default setting. It allows traffic from your devices to the target, but not the other way around.
- Bi-directional: It will allow all traffic between the target and your local device. If a rule is set to bi-directional, others from outside your network can access your local devices. This may increase security risks, so if you are unsure about it, we recommend using the default setting.
Blocking rules are bi-directional unless specified in Internet or Local Network targets.
Managing Network Segments with Rules
Network segmentation is one way to increase your network's security and performance. You can use network segments to restrict communication between devices, create a secure guest network, and securely connect to your home network while remote. After your network is segmented, you can apply rules and policies to each subnetwork. Subnetworks can fully see and talk to each other by default, so you may find it useful to restrict what parts of the local network they have access to by setting Block rules for traffic on other local networks.
You can also:
- Use the Smart Queue feature to prioritize traffic on certain segments.
- Use the route feature to specify how traffic moves over each segment.
Limiting Access over VPN with Rules
You can also give a remote device limited access over VPN. For example:
- Block all access for the VPN profile to local networks. If you have several devices that will use the same pattern you could apply this rule to all WireGuard profiles instead of a single Profile.
- Allow access to the IP of the specific device you want to allow access to and you can optionally set a specific port (RDP in the example below). If you use this approach, you should also set an IP reservation for the target device.
Note, this works best with WireGuard because each WireGuard profile is specific to a single device.
Similarly, you could limit VPN access to just specific LANs or VLANs as needed.
Comments
49 comments
2 nice features to have would be
1) exceptions to block rules ex: on my firewalla gold I have 4 vlans IoT, Guest, Mgmt, and Domain. on my IoT and Guest VLANs I block traffic to all other network segments but I run a DNS server in the management network. It would be nice if I could make an exception to the network block rule that allows my devices to talk to that 1 mgmt IP. or if you could have a checkbox that allows me to set a global rule to override lower rules.
2) it would be nice to be able to specify multiple targets, the obvious example from above would be to specify that the clients on other segments could talk to the DNS server IP on port 53 only.
Maybe one day once you get all of these awesome user friendly features added you can create can advance user options. Like give us a page to view advanced rule layout where we could see all of the rules in one interface and re-arrange the order more granularly, so we could move an allow/deny rule to the specific position in the list where we want it to be evaluated, or even be able to move to a configuration where there is an implicit deny so if a client is otherwise allowed it is denied.
Looks like things have changed and some of these comments may no longer apply. I have several iot devices that should only communicate with a parent domain (e.g. honeywell.com) . So I want to block any external internet traffic (not local) to/from that device if not *.honeywell.com). I would expect a rule to 1) block all internet to device and 2) allow *.honeywell.com to work but it blocks everything...
restricting traffic to a domain should be a common use case - no?
This may just be a bit picky, but your use of the term “bi-directional” isn’t really accurate in this case. In the traditional case for a firewall, bi-directional means that the connection can be initiated by either side. In the example, it would mean that Facebook could initiate a connection to the internal device. This would only be possible if the FW implements a NAT because the internal device has a private address (IPv4) that is not routable/reachable from the Internet. And because we only normally have a single public IP in IPv4, it would have to be a port-based NAT, which is problematic at best.
What is the use-case for bi-directional in the firewall rule? Do you just mean that the replies are allowed (that’s stateful, not bi-directional)? Or do you truly intend it to mean that we are opening up an internal device to the Internet and, if so, how is the NAT handled for IPv4 traffic? Or is that only for IPv6 traffic, in which case you need to have IPv6 enabled and an ISP that assigns a redistributable block of IPv6 addresses.
@heath what firewalla means is yes an external connection could theoretically be completed. It does not include reply traffic which is already allowed. It is also correct that without a portforward, that connection would not happen.
It would really be nice to get a feature update that would log each rule hit (source,destination, port, timestamp, etc) as well as a rule hit counter for verification of rules and traffic patterns.
Is there a way to Name rules? If not can it be a potential feature addition?
I have several IP allow rules so I can remote in from different places. I'd love to be able to name them so I don't need to look up the IP's when pausing or unpausing.
There is a notes section. is it what you want? or you want to display the notes while looking at the rules?
We'll actually if the note could display when looking at the rules that would be perfect. No need to add a name.
Is there a way to programmatically create a rule or remove a specific rule? For instance, I want the ability to open a port to a specific external ip, but only once that ip authenticates with a server outside the network. Then once the session is complete there is an internal call to turn off the rule. The call to add or remove could be limited to a specific/ip server inside the network that has a tunnel with the outside server to limit exposure.
Not currently, @Stacy. I don't know if Firewalla has any plans for such a feature. You could set up a reverse proxy with authentication. There are some threads about that.
@Firewalla
Is there any way to allow/block specific combinations like destination IP range plus ports?
I tried from web UI but I could not achieve it
this https://help.firewalla.com/hc/en-us/articles/1500009502622-How-to-limit-access-to-open-port-or-port-forwarded-
?
Is there a way to create a rule between two device groups? For example, I want a "Printers" group, containing printers. I'll give it a simple set of rules for this example: 1) Allow access TO the internet, 2) Block access to local networks. Basically, I'll allow the printer to download updates from the manufacturer, and I don't want it to be allowed to contact any local devices. Then I create another group called "Users", and I want to create a rule to allow "Users" to connect TO the group 'Printers". I don't want to open "Users" to connect to all of the local network, just the group "Printers".
I can specify a group name for who the rule is applied to, but I can't see how to specify a group name for the target.
When I have hardwired devices, I can use VLANs to accomplish this. But on the WiFi, I don't have a way to identify devices other than the device groups I assign them to (or they default into quarantine).
What about protocols (tcp/udp) ?
Like in your example, I figured out that it is possible to apply on a specific protocol targeting for instance 'www.foo.com,udp:443' but what happen when no protocol is specified ? Does Denying or allowing a target on a given port applies on both tcp and udp or only against tcp ?
@DC-firewalla you can only make rules meaningfully if devices are on different subnets. So if the Groups contain devices on different subnets that will work, otherwise it will not. This is because devices on the same subnet can't be blocked from each other.
@Bertrand,
If you are using Remote or local port you have to specify TCP, UDP, or both. If you are using an IP range it is just port number and I believe that covers "both".
Any plans to provide granular controls over blocking rules? There are scenarios that I want to block only uploads but keep the downloads.
With a Rule like:
Allow Domain time.nist.gov Outbound only
Will the firewall allow the inbound response from the server? Or do I ned to enable Bi-directional to get the response?
@MP you do not need bi-directional for the response. Bi-Directional would allow time.neist.gov to initiate connections to your network. Probably not a good thing.
Please sign in to leave a comment.