Port Forwarding TCP/UDP - how to determine per device
LTDR: Firewalla is blocking inbound and outboard communications to a number of IoT devices making them non functional.
Details: After having Firewalla installed for the past several months, a number of IoT devices are now having issues (degradation) connecting to the internet to function properly. I have determined that Firewalla is the root cause of the issues and by placing the device(s) into Emergency Access, functionally is restored for a period of time. My assumption is that Firewalla is dynamically determining based on algorithms and behaviors to block certain ports and communications inbound / outboard on the network.
Example A: Samsung Smart TV - unable to preform updates, unable to download apps from Samsung store, TV sluggish, Samsung support unable to remote into TV for troubleshooting.
Example B: Hunter Fan does not connect internet to preform updates, does not integrate into Hunter app properly. for bi-directional communication
Example C: Apple HomeKit devices (smart plugs, speakers) unable to be managed in the Apple Home app
Here are thoughts / questions;
I am familiar with Nmap and while the device is on, I am able to preform the actions that are failing and within real time capture the ports that open/closed/filtered, or in a listening state. After obtaining a list of ports I could create a port forwarding rule in Firewalla for all captured ports, however understanding that this could inherently leave the device vulnerable to attacks, I am hesitant.
I did also was able to review the device within Firewalla and see that within Ports, that there are ports not forwarded listed as well.
Question 1: Is there a way that Firewalla can dynamically either build a list of ports that a device is trying to access outbound (and store that list associated by device) or on the fly allow devices internally to connect through Firewalla over specific ports the device needs?
Question 2: For communications that need to occur inbound, is there a way to determine what ports might need to be opened. Example, iOS app for a device that needs to directly connect to device would be blocked by default, but is there any easy way to filter those requests in order to allow communication to properly transmit?
I am struggling with how to create a proper port forwarding mapping (inbound and outbound) by device(s) to ensure proper communication. I am sure Firewalla captures all requests per device, inbound and outboard and the ability to filter those requests should be possible.
-
Have you looked at this to debug the issue? https://help.firewalla.com/hc/en-us/articles/360050255274-What-to-do-when-you-can-t-access-certain-websites-
To answer your Question 1, ports are really not a good way to allow or block traffic ... Usually is domains or IP address that needs to be blocked or allowed.
Your inbound is always triggered by the stateful Firewall, you do not need to manage it.
-
Thank you for the response. I have not yet run through the debug article in detail that you provided and will. I have a few thoughts and comments;
While I understand that domains and/ or IP addresses should be the preferred method to allow or block traffic, in many cases I am unable to determine that information (through Google searches or vendor documentation) and have to interrogate the device in some manner, which usually provides the port that is active or listening.
Question: Is the suggestion that I map over device communication by using the Firewalla Blocked Flows that records all the flows blocked by Firewalla, where it will identify the IP or domain is being blocked.
Then is it recommended to use Manage Rules to set access to those resources? (via IP or domain) that were identified using the Firewalla Block flows?
And when vendors like Apple only provide TCP/UDP ports to configure on a firewall, it seems to be extra steps to identify the domain / ip address using Firewalla Blocked Flows: https://support.apple.com/en-us/HT202944.
In regards to your comment on inbound is always triggered by a stateful Firewall, how is the best way to manage workflows were communication is occurring inbound; like RDP, like remote control, iOS app where the session is initiated externally without allowing the port to device mapping on the Firewalla.
Please sign in to leave a comment.
Comments
2 comments