Inbound connections monitoring and alarms
As a new Firewalla user, I'm so far pretty happy with device connection monitoring and alarms, but found incoming connections area that is somewhat difficult to monitor.
I have port forwardings made for a server, and I've tried to put as strict NAT ingress firewall rules as possible, but there are two things that makes it difficult to evaluate the outcome
- Clear listing of inbound connections, and especially what has been blocked by the NAT ingress firewall rule and what hasn't, is hard to find. Network flow views for LAN network and devices do exist, but from there it's very difficult to identify which ones are for inbound connections. I think inbound connections coming from WAN should be made a separate view, maybe even to a totally different place, as they are also configured in totally different place (Network Manager/NAT) as local device rules.
- Now when it happens that NAT ingress rule does allow connection, I may get alarm "Abnormal Upload: Device [name] uploaded [size] data to [ip]". First, for incoming connections it might be more intuitive to have alarm say that the connection was initiated from outside, instead of device making upload (as if it was initiated from the device), for example "Device [name] was connected from [ip] and transferred [size]", perhaps even with a totally new alarm type "Abnormal Inbound Connection". But the actual problem with the alarm is that if I find this particular case a false alarm, for example it was me myself, there is no useful way I can dismiss it. At the moment it gives only option to mute exactly one IP, or entirely the type of Abnormal Upload. First one is not useful because it's too specific, it would need at least IP range option, or perhaps Region as in NAT rule options. Latter is out of question since I would dismiss all alarms and not getting anything anymore.
-
@Samuli, thanks for your feedback!
1. In the App 1.52 early access release, we've introduced a new UI of Top Blocked Flows. It will show you a list of inbound flows blocked by Firewalla, aggregated by Regions, and you can click on any region to drill down and see all the flow details.
As for the blocked flow history, do you think it'll be helpful if we provide an option to filter the flows based on the direction (Inbound/outbound)? Our team is exploring the possibilities to enhance the experience of auditing the flows, your opinion is greatly appreciated.2. Not sure if understood your requests correctly, but if a connection is established from the outside of your network and triggers an abnormal upload alarm, the alarm message will tell you that it is originated from the remote host. For example, you may receive an alarm like this: "Device A uploaded 123 MB to 1.2.3.4 at about 12:00 PM. Originated from 1.2.3.4." If you do receive alarms of "abnormal inbound connection" without the description "Originated from…", please send an email to help@firewalla.com, and our engineers will look into it.
3. About the last request, mute alarms based on IP range, you can do it manually in alarm settings. Please refer to this tutorial for more details.
-
Thanks for the reply!
- Yes I found this post afterwards, sounds good to me. And yes, filtering by inbound/outbound would be useful indeed, but not just in blocked flows but in all flows, so you could also see established inbound connections easily.
- This was a just a note from a new Firewalla user, that the wording "Device A uploaded" sounds like the connection was initiated from the Device A, and perhaps inbound connections might deserve a bit different treatment. But sure there is the "Originated from", not just sure if this was visible in notification.
- Did not know about this, thanks for the tip!
Please sign in to leave a comment.
Comments
2 comments