Block outbound ports ?

Comments

10 comments

  • Avatar
    Melvin Tu

    Hi Damon,

     

    It's not available in the app yet, it's on our todo list, likely in a couple of months.

     

    The iptables rule will get overwritten when restarting Firewalla services. But you can add a cronjob (like every 5 minutes) to add an iptables rule to block facetime calls if not existing, so even it's overwritten, it will be automatically re-added very soon.

     

    Thanks,

    Melvin

    2
    Comment actions Permalink
  • Avatar
    Thanos Sioutas

    Hi, any update on this feature? It's way more productive to be able to whitelist ports (facetime for example) to be permitted or denied per device and source/dest as a regex expression (or domain). For a destination being a country/ISP I could permit facetime app to 185.16.*.* for example. Granular control (for those who know what they do). :)

    an iPAD app would make this WAY easier too. 

    Thanks,

    Thanos

    1
    Comment actions Permalink
  • Avatar
    Melvin Tu

    We are still working on it. Likely rebuild the foundation that we can support various kinds of blocking, not just port.

     

    In terms of iPad, it's more a UI design problem. We are also prototyping the Web and CLI interface, since iPadOS is coming, maybe using web interface on iPad could be an option.

     

    Thanks,

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Christopher J. Shaker

    Usually, a firewall device supports Whitelists, Blacklists, and allows specific ports to be blocked or unblocked if needed.

    Chris Shaker

    0
    Comment actions Permalink
  • Avatar
    Matt Smith

    @Melvin, any update on this?

    0
    Comment actions Permalink
  • Avatar
    Melvin Tu

    Block port is already supported in the latest box and app.

     

    Whitelist will be supported in late this summer, and whitelist beta trial will be available in 1-2 months.

     

    Melvin

    1
    Comment actions Permalink
  • Avatar
    Matt Smith

    Ah, so the "Remote Port" target in Blocking Rules will block an outbound connection to that port? Excellent! Thanks for the update, Melvin.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    On a related note, I’m wondering how far the new features coming in the Gold timeframe will add to inbound defense. Right now, it seems firewalla is focused largely on rules for outbound traffic. Honestly other than looking for rogue devices sending information where it shouldn’t go, I’m less concerned about managing outbound traffic than inbound.  

    Active Protect recently failed to stop a brute force attack on some cameras I have at a rate of 1/second For an extended period. I don’t know how Active Protect works, but perhaps it could be augmented by something liks cujo. When they still made consumer products, their ability to detect unusual behavior was excellent. I’m not suggesting firewalla couldn’t build their own, it is all about Build vs buy trade offs. But I am concerned about inbound attacks.

    Rules based simply on IPs aren’t practical anymore. For instance, let’s say I want to allow access to those cameras while I’m my mobile. That isn’t easy. What about work? Again, I’m assuming that Active Protect is based on some kind of AI but it doesn’t seem to stop what it should. When I get Gold, I was planning on replacing my current router—with it. That was the whole point of ordering Gold. But I worry that I will lose the protections it has built in which are powered by TrendMicro which augment Firewalla currently.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There will be a new target called "inbound traffic", you can allow that or deny it.  In addition, an "outbound traffic" will be added as well.   The inbound traffic is what you want ...   Also, there will be target such as local traffic, which will allow you to block side way traffic ...  The combination of these will help the segmentation.

    But, in general for camera access, we strongly think you should use VPN to access them.  It will provide a much more solid wall 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks. I guess when I get my Gold I will play around.

    having to VPN in is safe, for sure. With cujo I saw my illegal login attempts go to zero without a vpn. That part of their product was like magic.

    Someone recently suggested a reverse proxy. I don’t know if I want to go through the trouble to set one up, but it seems like that might be another way to go. 

     

    0
    Comment actions Permalink

Please sign in to leave a comment.