- Odd choice of blocking address



  • Avatar
    Melvin Tu

    Hi Jason,


    This IP address is from a reserved IP address block, which is not supposed to be used by anybody else in a production environment.

    Reference: https://tools.ietf.org/html/rfc5737


    The reason a separated IP address is used instead of the Firewalla IP is to differentiate real traffic to Firewalla itself or blocked traffics. And we could apply different logic for different reserved IP addresses. For example, for 100.99 it will be silently dropped, for 100.100, it will be active rejected, for 100.101, it will be redirect to a sorry page.


    Note: a "sorry" page will be implemented in the future.




    Comment actions Permalink
  • Avatar
    Jason Martin

    Ah, I see my mistake.  

    tcpdump output:

    08:08:18.787502 IP > Flags [S], seq 204322262, win 29200, options [mss 1460,sackOK,TS val 238832614 ecr 0,nop,wscale 7], length 0
    08:08:18.787979 IP > ICMP tcp port http unreachable, length 68


    The Firewalla is replying with  'icmp port unreachable' which my browser showed as Connection Refused. It is not going out to a remote instance.


    Thank you for the detailed reply.

    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk