Below are suggestions for validating that various Firewalla features are working properly.
- Ad Block
- Family - Family Protect
- Family - Safe Search
- Family - Social Hour
- DNS over HTTPS (DoH)
- Unbound
- Malware Activity - Alarm
- Active Protect - Strict Mode
- Video Sites Blocking Rule
- NTP Intercept
- VPN Client
Ad Block
Check if you can see ads on this site: https://ads-blocker.com/testing/
To test if Strict Mode is blocking more ads, try comparing the block rate before and after switching to Strict Mode using this site: https://d3ward.github.io/toolz/adblock.html
Family - Family Protect
If you're using 3rd-Party Mode Family Protect, visit this site to confirm that OpenDNS is running: http://welcome.opendns.com/
If you're using Native Mode Family Protect, you can test each feature you have enabled by attempting to visit or use the categories/services you have blocked.
Family - Safe Search
Search 'porn' in Google with Safe Search on. You will see different results than if Safe Search was off. You may need to use an incognito window to be sure the cache is clear to see the change immediately.
Family - Social Hour
Visit https://facebook.com. You should not be able to if Social Hour is enabled.
DNS - DNS over HTTPS
To validate DoH, you need to use the DoH provider's test:
- Cloudflare: https://1.1.1.1/help
- Quad9: https://on.quad9.net
- Google: https://dns.google
- OpenDNS: https://umbrella.cisco.com/doh-help
Keep in mind:
- Browsers may cache results, so clear your cache or use an incognito window.
- If you select multiple DoH providers any given DNS test may go through a different provider. So to test, try selecting only one provider.
DNS - Unbound
Open https://dnsleaktest.com/. Run a standard test. If the IP in the test result is your public IP, it means Unbound is enabled. You can find your public IP using https://ipinfo.io/
Open https://en.internet.nl/ and start a test using "Test your connection". You are looking to see whether or not domain signatures (DNSSEC) are validated and if you are protected against false translation from signed domain names into rogue IP addresses.
Malware Activity - Alarm
Note: some tests may require you to clear your DNS cache. You can do this by turning Wi-Fi off and on.
# Expect an alarm to be generated.
http://malware.wicar.org/data/eicar.com
# Expect an alarm to be generated.
http://examplebotnetdomain.com
Note: these are just test files (no real damage). However, your browser may attempt to stop you from downloading the test malware file, so you may have to accept the risk in your browser to continue downloading.
You can also access these URLs via the command line:
$ curl http://malware.wicar.org/data/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
$ curl http://examplebotnetdomain.com
Note: Sometimes you may need to download multiple times, as the test file is too small to trigger the threshold.
Active Protect - Strict Mode (1.973 or higher)
By default, Firewalla auto-blocks high-risk malware sites. To extend it to broader malware sites including non-high-risk malware sites, you need to turn on Active Protect Strict mode. This requires box version 1.973 or above.
Note: some tests may require you to clear your DNS cache. You can do this by turning Wi-Fi off and on.
Once in Strict mode, use your browser to visit these sites.
# Expect an alarm will be generated, but the file will still be downloaded
http://malware.wicar.org/data/eicar.com
# Expect an auto block alarm will be generated. This test site is
http://examplebotnetdomain.com
These are just test files (no risk to trying these). However, your browser may attempt to stop you from downloading the test malware file, so you may have to accept the risk in your browser to continue downloading.
- For the first URL, the test site is purposely set to be considered we don't know is risky. Therefore, we don't block, we alert you to decide what to do.
- For the second URL, we purposely marked the test site as high risk and so the download is blocked completely.
You can also access these URLs via the command line:
$ curl http://malware.wicar.org/data/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
$ curl http://examplebotnetdomain.com
curl: (6) Could not resolve host: examplebotnetdomain.com
Note: Sometimes you may need to download multiple times, as the test file is too small to trigger the threshold.
Video Sites Blocking Rule
Try to play YouTube videos.
NTP Intercept
Here's how to verify the NTP Intercept feature.
- Open a terminal.
- Confirm NTP works normally by asking your device to query an NTP server. It should return the offset time of the system clock with respect to the server clock. Paste in one of the following commands, depending on your OS:
Windows:w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonly
Linux (depends on your distribution):
ntpdate -q -p 1 pool.ntp.org
macOS:
sntp pool.ntp.org
Example Output+0.063951 +/- 0.071033 pool.ntp.org 65.100.46.166
- Once you have confirmed NTP is normal, ask your device to query a fake NTP server (Firewalla has set one up at
not_ntp_server.firewalla.com
). NTP request to fake server will also be intercepted and processed locally, so NTP should succeed even with a fake server. If it fails, it means the NTP Intercept may not work.
Windows:
w32tm /stripchart /computer:not_ntp_server.firewalla.com /samples:5 /dataonly
Linux (depends on your distribution):
ntpdate -q -p 1 not_ntp_server.firewalla.com
macOS:
sntp not_ntp_server.firewalla.com
Example output if the feature is on and working:+0.010029 +/- 0.075112 not_ntp_server.firewalla.com 198.18.254.254
Example output if the feature is off or not working:sntp: Exchange failed: Timeout
sntp_exchange {
result: 6 (Timeout)
header: 00 (li:0 vn:0 mode:0)
stratum: 00 (0)
poll: 00 (1)
precision: 00 (1.000000e+00)
delay: 0000.0000 (0.000000000)
dispersion: 0000.0000 (0.000000000)
ref: 00000000 (" ")
t_ref: 00000000.00000000 (0.000000000)
t1: E92641FC.BD67EC78 (3911598588.739866999)
t2: 00000000.00000000 (0.000000000)
t3: 00000000.00000000 (0.000000000)
t4: 00000000.00000000 (0.000000000)
offset: FFFFFFFF8B6CDF01.A14C09C400000000 (-1955799294.369933605)
delay: FFFFFFFF16D9BE03.4298138800000000 (-3911598588.739867210)
mean: 0000000000000000.0000000000000000 (0.000000000)
error: 0000000000000000.0000000000000000 (0.000000000)
addr: 198.18.254.254
}VPN Client
If you have a device configured to use Firewalla VPN Client, try visiting a site such as http://ipinfo.io to see if your IP address matches the VPN (or your own public IP address).
Comments
0 comments
Please sign in to leave a comment.