Block outbound ports ?
Is there a way to selectively block outbound tcp/udp ports ? I'd like to prevent facetime calls on the network which can be accomplished by blocking outbound tcp/5223. I know iptables is under the hood, so if this isn't possible in the UI can I simply edit the iptables config or will it be overwritten ?
Thanks
-
Hi Damon,
It's not available in the app yet, it's on our todo list, likely in a couple of months.
The iptables rule will get overwritten when restarting Firewalla services. But you can add a cronjob (like every 5 minutes) to add an iptables rule to block facetime calls if not existing, so even it's overwritten, it will be automatically re-added very soon.
Thanks,
Melvin
-
Hi, any update on this feature? It's way more productive to be able to whitelist ports (facetime for example) to be permitted or denied per device and source/dest as a regex expression (or domain). For a destination being a country/ISP I could permit facetime app to 185.16.*.* for example. Granular control (for those who know what they do). :)
an iPAD app would make this WAY easier too.
Thanks,
Thanos
-
We are still working on it. Likely rebuild the foundation that we can support various kinds of blocking, not just port.
In terms of iPad, it's more a UI design problem. We are also prototyping the Web and CLI interface, since iPadOS is coming, maybe using web interface on iPad could be an option.
Thanks,
Melvin
-
On a related note, I’m wondering how far the new features coming in the Gold timeframe will add to inbound defense. Right now, it seems firewalla is focused largely on rules for outbound traffic. Honestly other than looking for rogue devices sending information where it shouldn’t go, I’m less concerned about managing outbound traffic than inbound.
Active Protect recently failed to stop a brute force attack on some cameras I have at a rate of 1/second For an extended period. I don’t know how Active Protect works, but perhaps it could be augmented by something liks cujo. When they still made consumer products, their ability to detect unusual behavior was excellent. I’m not suggesting firewalla couldn’t build their own, it is all about Build vs buy trade offs. But I am concerned about inbound attacks.Rules based simply on IPs aren’t practical anymore. For instance, let’s say I want to allow access to those cameras while I’m my mobile. That isn’t easy. What about work? Again, I’m assuming that Active Protect is based on some kind of AI but it doesn’t seem to stop what it should. When I get Gold, I was planning on replacing my current router—with it. That was the whole point of ordering Gold. But I worry that I will lose the protections it has built in which are powered by TrendMicro which augment Firewalla currently.
-
There will be a new target called "inbound traffic", you can allow that or deny it. In addition, an "outbound traffic" will be added as well. The inbound traffic is what you want ... Also, there will be target such as local traffic, which will allow you to block side way traffic ... The combination of these will help the segmentation.
But, in general for camera access, we strongly think you should use VPN to access them. It will provide a much more solid wall
-
Thanks. I guess when I get my Gold I will play around.
having to VPN in is safe, for sure. With cujo I saw my illegal login attempts go to zero without a vpn. That part of their product was like magic.
Someone recently suggested a reverse proxy. I don’t know if I want to go through the trouble to set one up, but it seems like that might be another way to go.
-
Can we add the ability to specify a destination AND a destination port?
This is more of an issue when writing rules for traffic headed to other network segments, and less of an issue for traffic headed to the internet, although, it would be nice to write a rule that says permit tcp:80,443 to "United States" ... I don't think that is possible today..
In my case, I'm trying to restrict access to mgmt ports on servers in other network segments, and while I could write a rule that says block "remote port ssh", that still leaves 65k ports open when I permit traffic into another network.
...ct
-
You should be able to do this by specifying the target as local network segment. More here https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
-
@Sean
Sorry, this is not supported in the app yet. You may email help@firewalla.com, we can help create a rule in the box directly.
Please sign in to leave a comment.
Comments
15 comments