Manage Rules

Follow

Comments

42 comments

  • Avatar
    Travis

    2 nice features to have would be

    1) exceptions to block rules ex: on my firewalla gold I have 4 vlans IoT, Guest, Mgmt, and Domain. on my IoT and Guest VLANs I block traffic to all other network segments but I run a DNS server in the management network. It would be nice if I could make an exception to the network block rule that allows my devices to talk to that 1 mgmt IP. or if you could have a checkbox that allows me to set a global rule to override lower rules. 

    2) it would be nice to be able to specify multiple targets, the obvious example from above would be to specify that the clients on other segments could talk to the DNS server IP on port 53 only. 

     

    Maybe one day once you get all of these awesome user friendly features added you can create can advance user options. Like give us a page to view advanced rule layout where we could see all of the rules in one interface and re-arrange the order more granularly, so we could move an allow/deny rule to the specific position in the list where we want it to be evaluated, or even be able to move to a configuration where there is an implicit deny so if a client is otherwise allowed it is denied. 

     

     

    0
    Comment actions Permalink
  • Avatar
    networker5

    Looks like things have changed and some of these comments may no longer apply.  I have several iot devices that should only communicate with a parent domain (e.g. honeywell.com) .  So I want to block any external internet traffic (not local) to/from that device if not *.honeywell.com). I would expect a rule to 1) block all internet to device and 2) allow *.honeywell.com to work but it blocks everything...

    restricting traffic to a domain should be a common use case - no?

    0
    Comment actions Permalink
  • Avatar
    heath

    This may just be a bit picky, but your use of the term “bi-directional” isn’t really accurate in this case.  In the traditional case for a firewall, bi-directional means that the connection can be initiated by either side.  In the example, it would mean that Facebook could initiate a connection to the internal device.  This would only be possible if the FW implements a NAT because the internal device has a private address (IPv4) that is not routable/reachable from the Internet.  And because we only normally have a single public IP in IPv4, it would have to be a port-based NAT, which is problematic at best.

    What is the use-case for bi-directional in the firewall rule?  Do you just mean that the replies are allowed (that’s stateful, not bi-directional)?  Or do you truly intend it to mean that we are opening up an internal device to the Internet and, if so, how is the NAT handled for IPv4 traffic?  Or is that only for IPv6 traffic, in which case you need to have IPv6 enabled and an ISP that assigns a redistributable block of IPv6 addresses.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @heath what firewalla means is yes an external connection could theoretically be completed. It does not include reply traffic which is already allowed. It is also correct that without a portforward, that connection would not happen.

    0
    Comment actions Permalink
  • Avatar
    Ethan Romero

    It would really be nice to get a feature update that would log each rule hit (source,destination, port, timestamp, etc) as well as a rule hit counter for verification of rules and traffic patterns.

    0
    Comment actions Permalink
  • Avatar
    Michael K

    Is there a way to Name rules? If not can it be a potential feature addition? 

    I have several IP allow rules so I can remote in from different places. I'd love to be able to name them so I don't need to look up the IP's when pausing or unpausing.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is a notes section. is it what you want? or you want to display the notes while looking at the rules?

    1
    Comment actions Permalink
  • Avatar
    Michael K

    We'll actually if the note could display when looking at the rules that would be perfect. No need to add a name.

    1
    Comment actions Permalink
  • Avatar
    Stacy Haven

    Is there a way to programmatically create a rule or remove a specific rule? For instance, I want the ability to open a port to a specific external ip, but only once that ip authenticates with a server outside the network. Then once the session is complete there is an internal call to turn off the rule. The call to add or remove could be limited to a specific/ip server inside the network that has a tunnel with the outside server to limit exposure.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Not currently, @Stacy. I don't know if Firewalla has any plans for such a feature. You could set up  a reverse proxy with authentication. There are some threads about that. 

    0
    Comment actions Permalink
  • Avatar
    Pietraskamil1991

    @Firewalla

    Is there any way to allow/block specific combinations like destination IP range plus ports? 

     

    I tried from web UI but I could not achieve it

    0
    Comment actions Permalink

Please sign in to leave a comment.