Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Comments

10 comments

Sort by Date Votes
  • Avatar
    Firewalla

    Depends on what is on your allowed list ... and if you have regional blocks

    pool.ntp.org is usually a very large and dynamic set of servers (up to 4000+ servers to that pool).  For example, if you only allow a few NTP servers, then it is highly likely you will get this kind of block for things not related to the allowed list.  

    0
    Comment actions Permalink
  • Avatar
    Tommy Webb

    They process block rules before allow rules which pretty much makes it impossible to block all except for….. I wish the rules worked more like traditional firewall rules where they are read in order but I’m guessing they’re doing this to keep down confusion for non technical users and keep support calls down for them. As much as I like the device I feel as if it’s being held back because of non technical users. I asked for an advanced mode to provide additional functionality for advanced users but that got shot down. I’d really like more granularity on the firewall rules to create rules with source/destination port/ip address instead of what’s given now.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    My target list

    time.apple.com
    time.cloudflare.com
    time.google.com
    *.ntp.org
    *.nist.gov

     

    so shouldn’t all ntp.org servers be allowed? No regional blocks in place. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Michael, one other possibility is the block is done via active protection (meaning the IP is bad), can you tap into a few of the blocks and see what they are?  

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So strangely they are listed as IP based. When I check the IP though it doesn’t have a bad reputation, which isn’t surprising. Neither does the domain. 

    How does the IP take precedence when there is an allow rule? I don’t want these blocked ever.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The domain pool.ntp[.]org is pretty standard, the issue is the IP.  the NTP pool is a system where pretty much anyone can join, and the domain to IP mapping will change very often (that pool has >4000 servers).  When this happens, the system will likely have a hard time mapping IP to domain's.  Hence you will get some blocks;   Since NTP pool is so special, unless you see it NOT working, we do not recommend you manage it yourself. 

    If you do see NTP is failing, then please send an email to help@firewalla.com 

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    I guess I never thought about the security problems with ntp.

    Reading a few articles, it seems like there is a way to authenticate ntp. NTS is one way. I wonder if FWG could intercept all ntp requests and provide responses to all LAN devices. In turn, it could make authenticated NTP requests which would be more secure and maybe even better performance? Maybe:

        Devices > FWG (NTP)  > NTS  

    but back to my earlier question, if I make an allow rule, shouldn’t that take precedence?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Looks like Cloudflare has a proposed solution. https://blog.cloudflare.com/nts-is-now-rfc/ 

    0
    Comment actions Permalink
  • Avatar
    Support

    Hi Michael

    To answer your earlier question, we need some further investigation on your box. I've created a ticket for that. Please check your mail box.

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Phil

    Was there any resolution to this? I'm having very similar issues.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post