Products Firewalla Blue Firewalla Red Firewalla Gold

Articles in this section

See more

Manage Rules

Avatar
Support
  • Updated
Follow

 

 

Definition of Rules

A rule defines how you want to control network access for one or more devices.  A rule has four basic elements: action, target, device, and schedule. It can be interpreted as the following: 

Take an action on matching target(s) and apply to device(s) 
following a schedule

For example, if you want to block YouTube access on Melvin's laptop between 7-9 PM every day, you define a rule like this:

Action: block
Target: googlevideo.com
Device: Melvin's laptop
Schedule: 7-9pm daily 

Frame_3.png

 

Rules List

All user-defined rules are shown on the Rules Listing screen under Home -> Rules. When you use the control buttons on the device home screen, such as block/unblock all gaming sites, a rule will be automatically created and appear on the Rules list.

mceclip11.png mceclip7.png

 

Create a Rule

To create a new rule, go to Home screen -> Rules button -> Add Rule. You'd need to specify the following:

1. Action

Action can be one of the following:

  • Allow earlyaccess.png
  • Block

Allow rules will always take precedence over Block rules. However, Allow rules will not be able to overwrite family mode blocked sites.

 

2. Target and Target Category

You can choose target(s) to allow/block based on one or a combination of the following items: 

  • IP Address
  • Range of IP Address
  • Domain name
  • Remote port
  • Region beta.jpg
  • Local Network mceclip1.png
  • Internet (all internet sites) 

Artboard_2x.jpgmceclip7.png

Domain Name: You can define the target as a domain (e.g. abc.com) or subdomain (e.g. x.abc.com).

  • When you block a domain, all subdomains and IP addresses mapped to the domain and subdomains are blocked as well. 
  • If two different domains map to the same IP address, then blocking one would cause the other, seemingly unrelated domain, to be blocked as well.

IP Range: You can define a group of IP addresses by specifying an IP range in CIDR notation (e.g. 192.168.100.14/24)

Remote Port: You can block/allow certain applications using a port or a range of ports. For example, block remote port 6881-6889 will block p2p traffic (typical p2p traffic uses these ports). 

  

Target Category

You can also choose from a set of system-managed target categories. The following categories are supported:

  • Gaming
  • Social
  • Video
  • Porn
  • Gambling 
  • P2P
  • VPN
  • Shopping 

Each category contains a list of domains or IP addresses associated with a specific types of activities. Firewalla automatically populates the list in each category by learning the traffic in your network, but you can also view and edit the list manually. 

The list of target categories can be found on the Target screen. Tap on the "i" icon next to a category, you will see all targets included in the category. Tap on "+" to add a new target, or tap on an item to see the delete option. 

mceclip2.png     mceclip6.png     mceclip7.png

For example, you've blocked "All Video Sites" for your phone, but iTunes Apple store is automatically included. If you want to be able to access the iTunes Apple store, you can simply remove this destination from the All Video Sites category.

 

3. Apply To (Device)

Once you've defined the target, choose which device(s) to apply the rule. You can select:

  • a single device
  • a device group earlyaccess.png
  • a network segment mceclip1.png
  • or all devices

 

4. Schedule

The active time of a rule can be set as "Always" (never expires unless deleted), "One-Time-Only" (expires after configured time), or recurring following a daily or weekly schedule.

For example, if you want to block Melvin's iPhone from accessing Facebook every weeknight from 9 PM to 7 AM(next day), you can create a new rule:

  • block
  • target: "domain" -> "facebook.com"
  • apply to: Melvins-iPhone
  • schedule: "every week, Monday through Friday, from 9 PM to 7 AM (next day)"  

mceclip0.png    mceclip1.png

 

Delete / Pause a Rule

You can pause or delete a rule from the rules detail screen. Pause is useful when you want to temporarily disable the rule without having to delete or reschedule the rule. 

mceclip5.png      mceclip4.png           

 

Add/Remove Rules at Device Level

You can easily block/unblock internet access for a device. On the device detail screen, there is a set of control buttons. You can block all internet access on this device or only block certain categories of access (e.g. Games, Social, Video activities). The button can cycle through "Block off" (unblock), "Block for 1 hour" (temporary block), and "Block on" (permanently block) with each tap. 

All blocking rules activated by the control buttons will also appear under the Rules listing screen. You can also create additional rules on this device by tapping the "+" icon.

mceclip10.png     mceclip9.png

 

Block Rules Created from Alarms

When you receive an alarm, you'll see an option to "Block" under the alarm summary. Depending on the type of alarm, you may see multiple options under Block. In the following example, you can either choose to block the specific domain or block the type of activity (Gaming) altogether. Depending on your selection, a new rule will be created. You can view and manage the rule on the Rules screen. 

mceclip8.png      

  

Layered Logic in Rules

The operational state of network access on a particular device can be determined by multiples rules defined at different layers:

  • Rules for the device itself
  • Rules for the device group that includes the device earlyaccess.png
  • Rules for the network segment where the device is connected mceclip1.png
  • Global rules applied to all devices

A network segment is a special device group. Its group membership is dynamic based on physical connectivity. Rules defined for a network segment will only apply to devices in that segment.  

Device group membership is static. When a member device changes segment, it still stays with the group. Group rules apply to member devices regardless of which segment the device is in. 

Rules Logic

The logic for rules processing is the following:

  1. When a device joins a group, all previously defined device-level rules will be removed. The device will adopt the rules defined at the group level (block rules can still be created at the device level from alarms). 
  2. A device or device group will inherit the Network and Global rules if there is no conflict.
  3. When there is conflict, device group rules will take precedence over Network rules.  
  4. When there is conflict, Network rules will take precedence over Global rules.

 

Examples

1. If a segment has a rule to block games, and a device (or a device group) in that segment doesn't have a rule to block games, then the device will have games blocked.

2. If the above segment also has a region block on USA, then only non-US games can be played by devices in that segment.

3. if a segment has a rule to block games, and a device (or a device group) in that segment allows nintendo.com, then the device's rule overwrites the segment's rule, i.e. the device can play games on nintendo.com.

 

 

 

 

 

 

Related articles

Comments

2 comments

Sort by Date Votes
  • Avatar
    Manny Cavalier

    Is the RED's rules only limited to 999?

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I believe that people should be aware that because domains are IP based, they should not assume that, "company.com" will be cover, "support.company.com". If they want to block (or allow) that they must specify the subdomain they are targeting. 

    The tutorial would be better if there were more detail like this. 

    0
    Comment actions Permalink

Please sign in to leave a comment.