Firewalla Rules can be used to manage access control traffic on your network and devices. The targets for the rules can be Applications, Target Lists, Categories (gaming, adult, video ...), Network flows (IP, domain, port), or regions, Internet, or Local Network.
- Definition of Rules
- Rules List
- Create a Rule
- Pause / Delete a Rule
- Add/Remove Rules at Device Level
- Block from Alarms
- Layered Logic in Rules
- Direction in Rules
- How to troubleshoot blocked sites
- How to block applications using rules
Definition of Rules
A rule defines how you want to control network access for one or more devices. A rule has four basic elements: action, target, device, and schedule. It can be interpreted as the following:
Take an action on matching target(s) and apply to device(s)
following a schedule
For example, if you want to block YouTube access on Melvin's laptop between 7-9 PM every day, you define a rule like this:
Action: block
Target: googlevideo.com
Device: Melvin's laptop
Schedule: 7-9pm daily
Rules List
All user-defined rules are shown on the Rules screen under Home → Firewalla → Rules. Rules can be created as above, or when you use the control buttons on the device home screen, such as block/unblock all gaming sites, a rule will be automatically created and appear on the Rules list.
Create a Rule
To create a new rule, go to the Home screen → Firewalla → Rules → Add Rule. You'd need to specify the following:
1. Action
Action can be one of the following:
- Allow
- Block
Allow rules will always take precedence over Block rules and Ad Block features. When applied, these rules are like exceptions to blocking rules, which apply to everything (Learn more about the direction in allow rules).
However, Allow rules do not override the Family mode blocked sites and Safe search features.
2. Target and Target Category
You can choose target(s) to allow/block based on one or a combination of the following items:
- Application
- Target List
- IP Address
- Range of IP Address
- Domain name
- Remote port
- Local port
- Region
- Local Network (Firewalla Gold and Purple only)
- Internet (all internet sites)
Application: The App list is sorted alphabetically and it will be continually updated. Only blocking rules are supported when matching Applications.
Target List: You can create a list of domains or IPs and then use that list to allow or block all of the items in that list. See Target Lists for more details.
Domain Name: You can define the target as a domain (e.g. abc.com) or subdomain (e.g. x.abc.com).
- When you block a domain, all subdomains and IP addresses mapped to the domain and subdomains are blocked as well. (e.g. "google.com" would also block "images.google.com")
- Blocking TLD (top-level domain) can be done by using the wildcard notation, such as blocking all *.adult or *.country
- There are two settings:
- Default: If two different domains map to the same IP address, then blocking one would cause the other, seemingly unrelated domain, to be blocked as well.
- Domain-Only: Less restrictive option won't accidentally block other domains hosted on the same IP but some applications may access servers by IP address rather than domain so they rule may not work as intended.
IP Range: You can define a group of IP addresses by specifying an IP range in CIDR notation (e.g. 192.168.100.14/24)
Remote Port: You can block/allow certain applications using a port or a range of ports. For example, block remote ports 6881-6889 will block p2p traffic (typical p2p traffic uses these ports).
You can also create Rules matching the combination of a Domain/ IP address / IP range and Remote Ports. Specifying protocol is also supported.
Local Port: You can block/allow others from accessing local services by specifying Local Port + Remote Target. For example, if you have a web server running, you can now create a rule to allow traffic from any region to access a certain port on your web server.
Local Network: On Firewalla Gold, You can block traffics between local networks by selecting any local network -> Traffic from/to the local network, then apply the rules to another network or device.
Here are more details on How to use rules to segment your network (Gold only).
Target Category
You can also choose from a set of system-managed target categories. The following categories are supported:
- Gaming
- Social
- Video
- Porn
- P2P
- Gambling
- Shopping
- VPN
Each category contains a list of domains or IP addresses associated with specific types of activities. Firewalla automatically populates the list in each category by learning the traffic in your network, but you can also view and edit the list manually.
The list of target categories can be found on the Target screen. Tap on the "i" icon next to a category, you will see all targets included in the category. Tap on "+" to add a new target, or tap on an item to see the delete option.
For example, you've blocked "All Video Sites" for your phone, but the iTunes Apple store is automatically included. If you want to be able to access the iTunes Apple store, you can simply remove this destination from the All Video Sites category.
3. On
Once you've defined the target, choose which device(s) to apply the rule. You can select:
- a single device
- a device group
- a network segment (Firewalla Gold and Purple only)
- or all devices
4. Schedule
The active time of a rule can be set as "Always" (never expires unless deleted), "One-Time-Only" (expires after configured time), or recurring following a daily or weekly schedule.
For example, if you want to block Melvin's iPhone from accessing Facebook every weeknight from 9 PM to 7 AM(next day), you can create a new rule:
- block
- target: "domain" -> "facebook.com"
- apply to: Melvins-iPhone
- schedule: "every week, Monday through Friday, from 9 PM to 7 AM (next day)"
Pause / Delete a Rule
You can pause a rule from the rules detail screen. Pause is useful when you want to temporarily disable the rule without having to delete or reschedule the rule.
To customize the duration when pausing rules, tap Pause Rule -> Custom… -> pick any duration -> tap Done. A rule can also be paused for "Today", which means it will be paused until the end of the day.
To delete a rule, tap Delete on any rule's detail page.
Manage Rules at Device/Group/Network Level
You can easily block/unblock internet access for a device. On the device detail screen, there is a set of control buttons. You can block all internet access on this device or only block certain categories of access (e.g. Games, Social, Video activities). The button can cycle through "Block off" (unblock), "Block for 1 hour" (temporary block), and "Block on" (permanently block) with each tap.
All blocking rules activated by the control buttons will also appear under the Rules listing screen. You can also create additional rules on this device by tapping the "+" icon.
Block Rules Created from Alarms
When you receive an alarm, you'll see an option to "Block" under the alarm summary. Depending on the type of alarm, you may see multiple options under Block. In the following example, you can either choose to block the specific domain or block the type of activity (Gaming) altogether. Depending on your selection, a new rule will be created. You can view and manage the rule on the Rules screen.
Layered Logic in Rules
The operational state of network access on a particular device can be determined by multiples rules defined at different layers:
- Rules for the device itself
- Rules for the device group that includes the device
- Rules for the network segment where the device is connected (Firewalla Gold and Purple only)
- Global rules apply to all devices
A network segment is a special device group. Its group membership is dynamic based on physical connectivity. Rules defined for a network segment will only apply to devices in that segment.
Device group membership is static. When a member device changes the segment, it still stays with the group. Group rules apply to member devices regardless of which segment the device is in.
Rules Logic
The logic for rules processing is the following:
- When a device joins a group, all previously defined device-level rules will be removed. The device will adopt the rules defined at the group level (block rules can still be created at the device level from alarms, network flows).
- A device or device group will inherit the Network and Global rules if there is no conflict.
When there is conflict:
the priority of different levels are device > group > network > global.
- When there is conflict, device group rules will take precedence over Network rules.
- When there is conflict, Network rules will take precedence over Global rules.
At the same level, allow rule takes precedence over the block rule.
One exception: inbound allow rules will take effect after going through all block rules except inbound blocking on all devices.
Examples
- If you have a rule allow a domain globally, but another rule block the Internet on a specific device, that device will not be able to access that domain. The priority here is Device > Global.
- On a device, if you have one rule allow the region US and another rule block YouTube, that device will still be able to access Youtube because traffic to the entire region (including where YouTube is hosted) is allowed. The priority is Allow > Block on the same level.
- If a network has a rule to block All Gaming Sites, then all devices in the network will have games blocked, because device inherits rules from the network it belongs to when there is no conflict.
- If a network has a rule to block All Gaming Sites, but a device (or a device group) in that network has a rule to allow nintendo.com, that device can play games on nintendo.com. Because when there is a conflict, priority is Device > Network.
- If a network has a rule to block Traffic from US, but a device in that network has a rule to allow Traffic from the Internet on a local port, US traffic can't connect to that device via that port.
WARNING
- If you block a domain in default mode, It may also block other domains due to IP address sharing. More details can be found here: How does Firewalla block domains?
- Please be careful when blocking Regions. The Internet is distributed, data centers are also distributed across the world.
Example: "firewalla.com" is based on Shopify, and Shopify is in Canada. Since there are many shops are using Shopify, if you blocked Region - Canada, you are likely going to have trouble shopping. - Port-based and Regional targets are fairly large, please try not to use them to "allow" or give an exception to your rules. Please see this article for a better way to do port opens.
- Allow rules are always like exceptions. For example, if you block YouTube and ALLOW the USA region, the YouTube block will not take effect, since Youtube is in the USA, which is an exception.
Direction in Rules
Firewalla allows directional ALLOW rules, the direction for allow rules can be:
- Outbound only: This is the default setting. It allows traffic from your devices to the target, but not the other way around.
- Bi-directional: It will allow all traffic between the target and your local device. If a rule is set to bi-directional, others from the outside your network will be able to access your local devices. This may increase security risks, so if you are not sure about it, we recommend using the default setting.
Blocking rules are bi-directional unless specified in Internet or Local Network targets.
Comments
42 comments
Is the RED's rules only limited to 999?
UPDATE:
See firewalla's update on this below.
I believe that people should be aware that because domains are IP based, they should not assume that, "company.com" will cover, "support.company.com". If they want to block (or allow) that they must specify the subdomain they are targeting.
The tutorial would be better if there were more detail like this.
Are there any plans to support URL based rules? I'd like to allow access to certain domains but restrict certain paths within those domains, e.g. allow everything from foo.com except foo.com/register, foo.com/user, foo.com/forum, etc.
URL rules are not possible without unwrapping https sessions. This is something at the moment, we don't want to mess with us. Doing anything with https is to break end to end trust, and that is something philosophically is bad.
Ah, understood. Good policy!
is there a way to combine rules filters in a single rule(as opposed to layered)?
for instance:
Not sure if I missed how to do this, but is there an ability to do wildcard allowing? Such as allow "*.google.com" to catch all Google Classroom URLs?
bks
@brian I think domains are io based right now and there is no wildcard support. I would really like to have that! Nest devices have really long sub domains that look like they could change without notice.
@Brian, @Michael,
1. Domain blocking now use both ip-based and dns-based blocking. You can change to domain-based only in Rule UI.
2. the allow and block priority is a little complicated when taking scope (device, group, network, global) and sub domain (*.google.com) into consideration.
first priority: scope (device > group > network > global)
second priority: sub domain (longest domain suffix takes priority, e.g. www.google.com > *.google.com)
third priority: allow > block
We are trying to simplify this in the app so that you don't have to worry about this in the most of time. (appreciate any feedback/idea on this)
So:
- if you don't specify blocking a specific google.com domain, allowing "*.google.com" should work.
- when you block a category (such as video), it equals to blocking each specific video site, such as xyz.googlevideo.com. and allowing "*.googlevideo.com" won't work, because xyz.googlevideo.com takes priority.
Thanks @Firewalla. So are:
google.com = *.google.com ? Or does google.com only refer to the second-level domain name?
I notice that rules applied to all devices don't show up when you look at the rules for a device. I would advocate that all rules that affect a device should be shown or this is a recipe for customers to be confused which could cause support issues.
I have the same question as Michael.
The app shows google.com if I input *.google.com as the domain I want to allow.
@Brian, I noticed that too. Hopefully that means the second level domain includes all subdomains. I’d love to hear @firewalla confirm though.
Hello I am on firewalla gold. Wanted to achieve , for a specific device with some ports mapped, that only some geographic regions can access it. I tried this first :
1) rely on the pre-filled global rule to deny traffic from internet to all devices in the lan ;
Create device specific rule to allow traffic from my preferred geographic region to the device
1) didn’t work as traffic from other geographic regions were still making it to the device , so I tried :
2) add a device specific rule to block all traffic from internet, add a rule to allow traffic from one geographic region
Why did 1) not work and 2) seems to work just fine?
Hi
See the last section, the device rules take precedence over global rules
Quote here:
the priority of different levels are device > group > network > global.
At the same level, allow rule takes precedence over the block rule.
Hi yes I have checked that - so why doesn’t the GLOBAL block rule block all traffic and the device level allow rule on one single country doesn’t allow just that country? I have double checked the sequence of priorities you quote above many times and I still don’t understand why is my point 1) not working :
A) add a rule to block all traffic from internet for All Devices (global scope)
B) add a rule to allow traffic from e.g. Canada for the one device “Test”
Given the two rules above, my understanding is that I should have that for the specific device “test” all incoming traffic was blocked with the exception of Canada one. However what actually happens is that all traffic is allowed regardless of the geographic origin, as if the global rule at point A was ineffective.
Do you imply maybe that global scoped rules and device (or network level rules) cannot be merged if they partially conflict and the less privileged scope is disregarded altogether?
If I'm not mistaken, the diagnostics (Rules > Diagnostics) Can only test Device > WAN connections. But it would be useful to be able to test external > LAN connections as well now that the Rules allow so much more control.
i'm trying to set a filter based on TLD, but the box turns red and doesn't accept the input... Am I doing something wrong?
I'm trying to filter *.io
*.io works for me. There can be a delay before it kicks in
https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
Maybe we're not on the same HW or FW version? (Mine is firewalla gold, app version 1.44.2...
When I put *.io in the box for the rule, the box turns red and I can't submit the rule.. Seems there is form validation rule that's not happy with what I put...
[Edit] figured it out, behaviour is different between the phone app and the web app. *.io doesn't work as a target on the web app, but it does on the phone app...
Hello,
For firewalla gold, may i ask is there any default firewall rules in place?
Do we need to specify below rules? Thank you.
e.g.
Deny:
From: Public Internet, WAN
to: LAN
Allow:
From: LAN
to: Public Internet, WAN
If you have a virgin Gold (out of the box, no configuration)
Firewalla by default will block all connections originated outside your network to your network. And Allow all traffic originated from LAN to WAN.
"Active protect" will block both directions if the site has a bad reputation.
@firewalla and a virgin FWG will also block between vlans, including mDNS reflection, correct?
A new FWG
mDNS is always on, and there are no other active rules that block VLANs or LANs unless you specifically add them.
Thanks @Firewalla.
So mDNS cannot be blocked at all? Or it is just open by default?
Hello. If I have a specific IP address of another person's computer, can I block it? Both incoming and outgoing traffic. I see the IP address option in the picture. Just want to know if it's possible.
@Bruce, As I’m sure you know, each computer has a LAN IP and a WAN IP. Firewalla will never see the LAN IP a of a computer on another network. You can block a WAN IP however, many connections are from DHCP IPs so a person’s IP a address today won’t necessarily be their IP tomorrow.
That said, yes, Firewalla van block an IP address, and IP range, or domains. But by nature, IP addresses may not reliably block a specific person.
You list rule priorities of Device > Group > Network > Global, however on my Gold, once i put a device into a group I cannot setup rules specifically for that device. It only will allow me to specify the group. Am I doing something wrong?
Devices in a group cannot have their own rules.
Please sign in to leave a comment.