Manage Rules

Follow

Comments

32 comments

  • Avatar
    FF

    is there a way to combine rules filters in a single rule(as opposed to layered)?

     

    for instance:

    • on device 1 block all ports 12-23 except 13? 
    • on device 2 allow all ports 12-23 except 13? 
    • or block port 22 if target region in not US?
    • etc....
    2
    Comment actions Permalink
  • Avatar
    Brian Shimkus

    Not sure if I missed how to do this, but is there an ability to do wildcard allowing?  Such as allow "*.google.com" to catch all Google Classroom URLs?

     

    bks

    2
    Comment actions Permalink
  • Avatar
    Manny Cavalier

    Is the RED's rules only limited to 999?

    1
    Comment actions Permalink
  • Avatar
    Brian Shimkus

    I have the same question as Michael.

    The app shows google.com if I input *.google.com as the domain I want to allow.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    UPDATE:

    See firewalla's update on this below. 

    I believe that people should be aware that because domains are IP based, they should not assume that, "company.com" will cover, "support.company.com". If they want to block (or allow) that they must specify the subdomain they are targeting. 

    The tutorial would be better if there were more detail like this. 

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks @Firewalla. So are:

    google.com = *.google.com ? Or does google.com only refer to the second-level domain name? 

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I notice that rules applied to all devices don't show up when you look at the rules for a device. I would advocate that all rules that affect a device should be shown or this is a recipe for customers to be confused which could cause support issues. 


    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    Hi yes I have checked that - so why doesn’t the GLOBAL block rule block all traffic and the device level allow rule on one single country doesn’t allow just that country? I have double checked the sequence of priorities you quote above many times and I still don’t understand why is my point 1) not working :

    A) add a rule to block all traffic from internet for All Devices (global scope)
    B) add a rule to allow traffic from e.g. Canada for the one device “Test”

    Given the two rules above, my understanding is that I should have that for the specific device “test” all incoming traffic was blocked with the exception of Canada one. However what actually happens is that all traffic is allowed regardless of the geographic origin,  as if the global rule at point A was ineffective.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks @Firewalla. 

    So mDNS cannot be blocked at all? Or it is just open by default?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Devices in a group cannot have their own rules. 

    0
    Comment actions Permalink
  • Avatar
    Travis

    2 nice features to have would be

    1) exceptions to block rules ex: on my firewalla gold I have 4 vlans IoT, Guest, Mgmt, and Domain. on my IoT and Guest VLANs I block traffic to all other network segments but I run a DNS server in the management network. It would be nice if I could make an exception to the network block rule that allows my devices to talk to that 1 mgmt IP. or if you could have a checkbox that allows me to set a global rule to override lower rules. 

    2) it would be nice to be able to specify multiple targets, the obvious example from above would be to specify that the clients on other segments could talk to the DNS server IP on port 53 only. 

     

    Maybe one day once you get all of these awesome user friendly features added you can create can advance user options. Like give us a page to view advanced rule layout where we could see all of the rules in one interface and re-arrange the order more granularly, so we could move an allow/deny rule to the specific position in the list where we want it to be evaluated, or even be able to move to a configuration where there is an implicit deny so if a client is otherwise allowed it is denied. 

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Bruce, As I’m sure you know, each computer has a LAN IP and a WAN IP. Firewalla will never see the LAN IP a of a computer on another network. You can block a WAN IP however, many connections are from DHCP IPs so a person’s IP a address today won’t necessarily be their IP tomorrow. 

    That said, yes, Firewalla van block an IP address, and IP range, or domains. But by nature, IP addresses may not reliably block a specific person. 

    0
    Comment actions Permalink
  • Avatar
    Bruce Galleco

    Hello. If I have a specific IP address of another person's computer, can I block it?  Both incoming and outgoing traffic.  I see the IP address option in the picture.  Just want to know if it's possible. 

    0
    Comment actions Permalink
  • Avatar
    Matt

    Maybe we're not on the same HW or FW version? (Mine is firewalla gold, app version 1.44.2...

    When I put *.io in the box for the rule, the box turns red and I can't submit the rule.. Seems there is form validation rule that's not happy with what I put... 

    [Edit] figured it out, behaviour is different between the phone app and the web app. *.io doesn't work as a target on the web app, but it does on the phone app...

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    Hello I am on firewalla gold. Wanted to achieve , for a specific device with some ports mapped, that only some geographic regions can access it. I tried this first :

    1) rely on the pre-filled global rule to deny traffic from internet to all devices in the lan ;
    Create device specific rule to allow traffic from my preferred geographic region to the device

    1) didn’t work as traffic from other geographic regions were still making it to the device , so I tried :

    2) add a device specific rule to block all traffic from internet, add a rule to allow traffic from one geographic region

    Why did 1) not work and 2) seems to work just fine?

    0
    Comment actions Permalink
  • Avatar
    Dave Stevenson

    Are there any plans to support URL based rules? I'd like to allow access to certain domains but restrict certain paths within those domains, e.g. allow everything from foo.com except foo.com/register, foo.com/user, foo.com/forum, etc. 

    0
    Comment actions Permalink
  • Avatar
    Matt

    i'm trying to set a filter based on TLD, but the box turns red and doesn't accept the input... Am I doing something wrong? 

     

    I'm trying to filter *.io

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @brian I think domains are io based right now and there is no wildcard support. I would really like to have that! Nest devices have really long sub domains that look like they could change without notice. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    A new FWG 

    1. There will be a rule that blocks all incoming traffic. (this is your ingress firewalla)
    2. Port 4 is default WAN with DHCP
    3. Port 1-3 are bridge together as your LAN

    mDNS is always on, and there are no other active rules that block VLANs or LANs unless you specifically add them.

    0
    Comment actions Permalink
  • Avatar
    Arlo Miller

    You list rule priorities of Device > Group > Network > Global, however on my Gold, once i put a device into a group I cannot setup rules specifically for that device.  It only will allow me to specify the group.  Am I doing something wrong?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @firewalla and a virgin FWG will also block between vlans, including mDNS reflection, correct?

    0
    Comment actions Permalink
  • Avatar
    networker5

    Looks like things have changed and some of these comments may no longer apply.  I have several iot devices that should only communicate with a parent domain (e.g. honeywell.com) .  So I want to block any external internet traffic (not local) to/from that device if not *.honeywell.com). I would expect a rule to 1) block all internet to device and 2) allow *.honeywell.com to work but it blocks everything...

    restricting traffic to a domain should be a common use case - no?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If you have a virgin Gold (out of the box, no configuration)

    Firewalla by default will block all connections originated outside your network to your network.  And Allow all traffic originated from LAN to WAN. 

    "Active protect" will block both directions if the site has a bad reputation.

    0
    Comment actions Permalink
  • Avatar
    nick54774

    Hello,

    For firewalla gold, may i ask is there any default firewall rules in place?

    Do we need to specify below rules? Thank you.

    e.g.
    Deny:
    From: Public Internet, WAN
    to: LAN

    Allow:
    From: LAN
    to: Public Internet, WAN

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    If I'm not mistaken, the diagnostics (Rules > Diagnostics)  Can only test Device > WAN connections. But it would be useful to be able to test external > LAN connections as well now that the Rules allow so much more control. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    URL rules are not possible without unwrapping https sessions.  This is something at the moment, we don't want to mess with us.   Doing anything with https is to break end to end trust, and that is something philosophically is bad. 

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    Do you imply maybe that global scoped rules and device (or network level rules) cannot be merged if they partially conflict and the less privileged scope is disregarded altogether?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Brian, @Michael,

     

    1. Domain blocking now use both ip-based and dns-based blocking. You can change to domain-based only in Rule UI.

    2. the allow and block priority is a little complicated when taking scope (device, group, network, global) and sub domain (*.google.com) into consideration.

     

        first priority: scope (device > group > network > global)

        second priority: sub domain (longest domain suffix takes priority, e.g. www.google.com > *.google.com)

        third priority: allow > block

     

    We are trying to simplify this in the app so that you don't have to worry about this in the most of time. (appreciate any feedback/idea on this)

     

    So:

    - if you don't specify blocking a specific google.com domain, allowing "*.google.com" should work.

    - when you block a category (such as video), it equals to blocking each specific video site, such as xyz.googlevideo.com. and allowing "*.googlevideo.com" won't work, because xyz.googlevideo.com takes priority.

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Brian, I noticed that too. Hopefully that means the second level domain includes all subdomains. I’d love to hear @firewalla confirm though. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    *.io works for me.  There can be a delay before it kicks in  

    https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules

    0
    Comment actions Permalink

Please sign in to leave a comment.