← PART 1: Visibility
→ PART 3: Protect
PART 2: Control
After gaining visibility to your network and devices, the next important step is to create "rules" or "policies" for your network. These "rules" are often specific to your environment and how you perceive risk. Ultimately, it is your network, and you make the rules to control it.
Firewalla provides many ways to block, allow, and regulate traffic on your network. By controlling network traffic, you reduce the attack surface and risk exposure of your network.
With Firewalla, you can:
- Block unwanted access with blocking rules
- Allow trusted networks with "allow" rules
- Set activity time limits
- Block unrecognized open ports and change weak passwords
- Enable Family Mode for kids
- Isolate traffic with network segmentation
- Manage devices with Device Group
- Control traffic with routes
- Regulate traffic with Smart Queue
- Protect your privacy with Ad Block
- Control DNS traffic with DoH, Unbound, and DNS Rules
- Sync time securely with NTP Intercept
- Secure network access with Firewalla VPN
- Isolate new devices with New Device Quarantine
1. Block unwanted access with blocking rules
Blocking limits network access for one or more devices. Firewalla enables you to take action against unwanted network use through an array of blocking features, including:
1.1. Default Stateful Firewalls
1.2. Domain/IP/IP-Range Block Via the Rules Button
1.3. Block Via Alarms
1.6. Region Block (Geo-IP Filtering)
1.7. TLD Blocks
1.8. Application Block
1.1. Default Stateful Firewalls
If you are running your unit in router mode, Firewalla will by default insert a "stateful" firewall to block all ingress (from outside of your network to inside) traffic. Please do not delete or pause this rule.
1.2. Domain/IP/IP-Range Block Via the Rules Button
You can block targets by using the "Rules" button. You can choose target(s) to allow/block based on one or a combination of the following items:
- IP Address (and optional ports)
- IP Address range (and optional ports)
- Domain name (and optional ports)
- Remote port (applies to any IP or Domain)
- Region
- Local Network (Gold and Purple running in Router mode only)
- Internet (all internet sites)
- Target Lists
Find out more about blocking capabilities here.
1.3. Block Via Alarms
Blocks can also be created from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen.
1.4. Block Via Network Flows
While looking at your device's network flows, you can tap on its flow entries to get into the details screen. In the details screen, you can block flows (please note that not all flows can be blocked and your device may still maintain its functionality).
1.5. Activity Category Block
For smart devices that function closer to a general-purpose computer, you should implement controls similar to those on your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to ensure they don't access sites they're not supposed to.
1.6. Region Block (Geo-IP Filtering)
Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering. Geo filtering is only available on the Firewalla Blue Plus and above.
- Most of the time, these blocks are for egress. (your network out). Ingress traffic should already be blocked by the default stateful firewall.
1.7. TLD Blocks (Top Level Domain)
In addition to blocking full domains like firewalla.com and *.firewalla.com, Firewalla also supports blocking top-level domains, such as *.country, *.stream, *.download, etc.
1.8 Application Block
If you want to manage access to a certain app (such as YouTube, TikTok, Instagram, etc.), you can use Firewalla's Rules to limit what apps a device or a group of devices may use. To do this, create a new block rule and set the rule target to the app you'd like to block.
2. Allow trusted networks with "allow" rules
For devices that are very purpose-specific and only need access to certain services, you can configure rules to only allow trusted connections to come through. For example, on your Nest Thermostat or Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules.
3. Set activity time limits
You can control when and for how long a set of devices can access certain apps with Time Limits. This allows you to do things like give your kids 2 hours of Fortnite access on weekends or set a daily 1-hour limit on YouTube. You can set a time limit by creating a User, then scrolling down on the User's page and tapping Add Time Limit under the activity chart.
4. Block unrecognized open ports and change weak passwords
In Part 1, we discussed open ports and weak passwords on commonly used ports. Check for open ports and services that aren't secured with solid credentials (Home -> Scan).
- If the scan finds any open ports and you don't recognize them, or if any ports were opened intentionally but should not be open anymore, you should block them.
- If the scan finds any weak passwords on common services, we recommend that you first log into your device and verify if the scan result is correct, then either disable the service or change the password on the service to something more secure.
5. Enable Family Mode for kids
Firewalla's Family Mode contains services that automatically filter out inappropriate content for families (porn and violent materials). It includes:
- Family Protect, which blocks access to websites with offensive content
- Native Family Protect, a new feature that gives you full control over what to block right on the Firewalla box
- Safe Search, which filters search results
- Social Hour, which limits social network use. If you have kids at home, enable Family Mode on all computers and smart devices (like Apple TV) that your kids might have access to.
6. Isolate traffic with network segmentation
You can use network segmentation to create multiple local networks in your home, and dedicate one for IoT devices. This way you can isolate IoT device traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised.
You can set up a network segment for your IoT devices by:
- Creating a VLAN for your IoT devices
- Creating a rule on the VLAN to block all outgoing traffic to other parts of your network
Network segmentation is very powerful. While it is impossible to separate traffic between devices on the same network segment, VLAN and port-based networks allow you to secure and separate devices that are less critical and possibly less rigorously tested. See Building Network Segments for a detailed article on this.
Network segmentation is only available on Firewalla Gold and Purple when running as your main router. Both support network segmentation through VLANs, and Gold supports up to 3 port-based LANs.
7. Manage devices with Device Group
A device group is a software-based segmentation. It is available on all products including Firewalla Blue Plus and Red. You can use Device Group to manage devices that share the same rules and policies. This can greatly simplify the daily management of devices and policies. Learn more about Device Group.
Here is an example of how you can use Device Group:
- Create a device group for streaming devices
- Add all your smart TVs, speakers, or set-top boxes to the group
- Manage the group with consistent rules and policies across the whole network
8. Control traffic with routes
In case you have multiple traffic terminations such as:
- VPN Client (or many VPN clients)
- Secondary WAN
- Site-to-Site VPN
You can send any IoT device's network traffic to any of the destinations from above by using smart routing policies through Firewalla. Learn more about policy-based routing.
You can also choose a Route Preference. For each route, you'll be given two options:
- Static: if the selected interface is not available, the traffic will be dropped. This is the default setting.
- Preferred: if the selected interface is not available, allow traffic through an alternate route.
Please note that in order to "lock" traffic to a selected VPN, you also need to ensure the VPN's Internet Kill Switch is enabled. For detailed instructions, you can watch our video tutorial.
9. Regulate traffic with Smart Queue
If you worry about your IoT devices consuming too much bandwidth, you can easily apply policies to limit traffic by either device or destination. Learn more about Firewalla Smart Queue.
10. Protect your privacy with Ad Block
Ad Block is Firewalla's built-in ad blocker. It does more than just block ads-- it also protects your privacy by preventing ads from tracking your online behaviors. This is especially useful for smart devices that have general access to the internet but do not provide users with privacy settings or controls. Ad Block now also has Strict Mode, which blocks ads more aggressively, in addition to Default Mode. Turn on Ad Block on All Devices so your whole network is ad-free. Find out more about Ad Block.
11. Control DNS traffic with DoH, Unbound, and DNS Rules
DNS over HTTPS (DoH) sends DNS requests encrypted over HTTPS, as opposed to the traditional DNS that sends the request in plain text over HTTP. It prevents third parties from spying on what websites, domains, and services your devices are accessing. By turning on DoH in Firewalla, all devices in your network will be protected, especially IoT devices that otherwise have no ability to configure this type of service.
In addition to DoH, Firewalla supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver that helps increase your online privacy and security and is installed locally on the Firewalla box. Unbound prevents a single public DNS server from having all your DNS records. For an extra layer of protection, you can also send your Unbound DNS requests over VPN instead of your ISP by enabling Unbound over VPN.
You can also add Custom DNS Entry Rules via the app. We used to have a guide on how to customize your DNS via the command line, but we brought this feature to the app UI to make it easier to manage. For detailed instructions, you can watch our video tutorial.
12. Sync time securely with NTP Intercept
Many devices regularly make Network Time Protocol (NTP) requests to keep their clocks in sync – you'll see these requests as traffic over port 123 on your box's Flows page. Vulnerable NTP servers can sometimes be exploited for DDoS attacks or as a covert communication channel.
Firewalla's NTP Intercept feature catches your devices' NTP requests and processes them locally using trusted NTP servers, reducing your network's risk exposure while saving some bandwidth. From the devices' perspectives, NTP requests simply succeed as usual.
13. Secure network access with Firewalla VPN
Firewalla has a built-in VPN client that makes it easy and free to tunnel all your home network traffic, including IoT traffic, through a VPN.
Site to Site VPN:
If you have multiple homes, you can use Site to Site VPN to connect your networks together over encrypted links. You can securely access shared devices such as file servers, printers, and video cameras bi-directionally between the sites.
3rd Party VPN:
If you are using a third-party VPN server to shield your data from your ISP or government, you can enable the Firewalla VPN Client and connect to the VPN Server. This will allow all your IoT devices to easily use the same VPN service.
Firewalla has a built-in VPN Server as well. When you are traveling or using public Wi-Fi, you can connect back to the VPN Server at home and securely access your home devices, such as security cameras and home automation controllers.
This method is far more secure than using simple port forwarding on your router. The extra encryption both hides your traffic and provides authentication at the network layer at the same time.
14. Isolate new devices with New Device Quarantine
You can enable New Device Quarantine in Firewalla to immediately place unrecognized devices into a separate Quarantine Group if they join your network. This way, you can have full visibility of unfamiliar devices and set special rules to control their access. You can release a device from the Quarantine Group whenever you want.
To learn more about how Firewalla protects your data from breaches and attacks, continue reading in Part 3: Protect.
→ PART 3: Protect
Comments
1 comment
I have set a general rule to block access from a vlan to my main lan. I have allowed access to a single machine with a secondary rule - but really I'd like this to be a single port on this machine, but can't work out how to make a combination rule like this?
Please sign in to leave a comment.