Firewalla runs on a full Linux distribution with full shell access. If you know a bit of Linux you can easily expand the Firewalla with regular Linux packages and tools.
One of the major problems of having an open system is ... over time, the system may get polluted with software which can cause issues. To solve this problem, we have included native docker container support for Firewalla Gold, Purple, and Blue Plus. Docker containers will provide a sandbox to run your own applications while maintaining system integrity.
What is a Docker Container?
- Docker is a tool that allows developers, sys-admins, etc. to easily deploy their applications in a sandbox (called containers) to run on the host operating system i.e. Linux. The key benefit of Docker is that it allows users to package an application with all of its dependencies into a standardized unit for software development. Unlike virtual machines, containers do not have a high overhead and hence enable more efficient usage of the underlying system and resources. (https://docker-curriculum.com/)
What are the advantages of Docker?
- Isolation: you can fully contain one application inside a docker container without messing with the running operating system.
- Better Performance: containers can perform much better than virtual machines.
- Portable: many known services already have docker support, so you can easily deploy them on firewalla.
A few reminders before you start
Containers will help you to bring network-based functions... closer to the network. However, keep the following caveats in mind. Firewalla's primary job is to secure your network. Overtaxing Firewalla may degrade your network performance use some caution. Try things out and see if you suddenly see performance issues.
- WARNING: the Firewalla is NOT a general-purpose computer. Please be careful with what you install. Containers cost CPU and memory... and if not properly configured, may also cause security problems.
- Watch out for ports being opened by services, make sure they are never mapped to the WAN interface (unless you know what you are doing).
- Watch out for disk space... Your Firewalla may not run correctly if you create too many docker images and do not manage them correctly. Be sure to use the docker prune command each time you update a container.
- The default user in firewalla has sudo access. So anything you run has root access.
- Firewalla is not responsible for the security of any containers or packages you install.
Docker container Examples
To help you get started, we have created a few examples based on feedback from our customers. Firewalla Gold and Purple series boxes should not have issues running these examples on a production network. Please note, these are examples only, we do not endorse these brands nor do they endorse us in any way.
Homebridge via Docker
Homebridge is a server you can run on your home network that can connect many devices that aren't certified to work with Apple Homekit. It is a bridge between HomeKit and these devices which allows you to use Siri to control them.
Using docker is the best way to install HomeKit as it leaves whatever computer isolated from the OS itself and is easy to backup and update independently.
For full details, see Install HomeBridge on Firewalla
Unifi-Controller via Docker
UniFi Controller is a small server that manages all aspects of UniFi equipment such as APs (Access Points) and switches. It allows you to create VLANs, WVLANs, update your UniFi boxes, and much more. You can run the Controller in a docker container right on Firewalla Gold.
For full details, see How to run UniFi Controller on the Firewalla Gold
Pi-hole via Docker
The Pi-hole® uses DNS blocks to protect your devices from unwanted content, without installing any client-side software. Firewalla already has similar capabilities in features such as Ad Block, but some customers have experimented with Pi-hole. You may not want to use both Pi-hole and Ad Block on the same devices as it will make it harder to determine what is causing false positives when they occur and block content you actually want to get to.
Certain modules may require special access permissions from the docker network module, and this may require special processing in the Firewalla code to open the ingress or egress firewalls. This feature was delivered in 1.971.
On ubuntu 22.04 and later, when docker starts up, it may load a kernel module
br_netfilter which conflicts with ubuntu 22.04 if you are using Smart Queue. Dockers managed by Firewalla will automatically handle this, but if you create docker instance, you may need to run:
sudo rmmod br_netfilter
after starting docker service or the firewalla routing function may break.
This is due to a Linux Kernel bug which we plan to fix in our 1.976 release.
- Users generated tutorials https://help.firewalla.com/hc/en-us/community/topics/360001948014-Expanding-Firewalla-Docker-Third-Party-Apps-Scripts-
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. The use of these names, logos, and brands does not imply endorsement.