Block outbound ports ?

Comments

15 comments

  • Avatar
    Support Team

    Hi Damon,

     

    It's not available in the app yet, it's on our todo list, likely in a couple of months.

     

    The iptables rule will get overwritten when restarting Firewalla services. But you can add a cronjob (like every 5 minutes) to add an iptables rule to block facetime calls if not existing, so even it's overwritten, it will be automatically re-added very soon.

     

    Thanks,

    Melvin

    2
    Comment actions Permalink
  • Avatar
    Thanos Sioutas

    Hi, any update on this feature? It's way more productive to be able to whitelist ports (facetime for example) to be permitted or denied per device and source/dest as a regex expression (or domain). For a destination being a country/ISP I could permit facetime app to 185.16.*.* for example. Granular control (for those who know what they do). :)

    an iPAD app would make this WAY easier too. 

    Thanks,

    Thanos

    1
    Comment actions Permalink
  • Avatar
    Support Team

    Block port is already supported in the latest box and app.

     

    Whitelist will be supported in late this summer, and whitelist beta trial will be available in 1-2 months.

     

    Melvin

    1
    Comment actions Permalink
  • Avatar
    Support Team

    We are still working on it. Likely rebuild the foundation that we can support various kinds of blocking, not just port.

     

    In terms of iPad, it's more a UI design problem. We are also prototyping the Web and CLI interface, since iPadOS is coming, maybe using web interface on iPad could be an option.

     

    Thanks,

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Christopher J. Shaker

    Usually, a firewall device supports Whitelists, Blacklists, and allows specific ports to be blocked or unblocked if needed.

    Chris Shaker

    0
    Comment actions Permalink
  • Avatar
    Matt Smith

    @Melvin, any update on this?

    0
    Comment actions Permalink
  • Avatar
    Matt Smith

    Ah, so the "Remote Port" target in Blocking Rules will block an outbound connection to that port? Excellent! Thanks for the update, Melvin.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    On a related note, I’m wondering how far the new features coming in the Gold timeframe will add to inbound defense. Right now, it seems firewalla is focused largely on rules for outbound traffic. Honestly other than looking for rogue devices sending information where it shouldn’t go, I’m less concerned about managing outbound traffic than inbound.  

    Active Protect recently failed to stop a brute force attack on some cameras I have at a rate of 1/second For an extended period. I don’t know how Active Protect works, but perhaps it could be augmented by something liks cujo. When they still made consumer products, their ability to detect unusual behavior was excellent. I’m not suggesting firewalla couldn’t build their own, it is all about Build vs buy trade offs. But I am concerned about inbound attacks.

    Rules based simply on IPs aren’t practical anymore. For instance, let’s say I want to allow access to those cameras while I’m my mobile. That isn’t easy. What about work? Again, I’m assuming that Active Protect is based on some kind of AI but it doesn’t seem to stop what it should. When I get Gold, I was planning on replacing my current router—with it. That was the whole point of ordering Gold. But I worry that I will lose the protections it has built in which are powered by TrendMicro which augment Firewalla currently.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There will be a new target called "inbound traffic", you can allow that or deny it.  In addition, an "outbound traffic" will be added as well.   The inbound traffic is what you want ...   Also, there will be target such as local traffic, which will allow you to block side way traffic ...  The combination of these will help the segmentation.

    But, in general for camera access, we strongly think you should use VPN to access them.  It will provide a much more solid wall 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks. I guess when I get my Gold I will play around.

    having to VPN in is safe, for sure. With cujo I saw my illegal login attempts go to zero without a vpn. That part of their product was like magic.

    Someone recently suggested a reverse proxy. I don’t know if I want to go through the trouble to set one up, but it seems like that might be another way to go. 

     

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Can we add the ability to specify a destination AND a destination port?  

     

    This is more of an issue when writing rules for traffic headed to other network segments, and less of an issue for traffic headed to the internet, although, it would be nice to write a rule that says permit tcp:80,443 to "United States" ...  I don't think that is possible today..

    In my case, I'm trying to restrict access to mgmt ports on servers in other network segments, and while I could write a rule that says block "remote port ssh", that still leaves 65k ports open when I permit traffic into another network.

     

    ...ct

    0
    Comment actions Permalink
  • Avatar
    Sean K

    For example, Right now I'm trying to block port 25 and a handful of other ports outbound to the internet but I want to leave it open between my vlans.
    How would you achieve something like that without out having to build hundreds of rules. Am I missing something?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You should be able to do this by specifying the target as local network segment. More here https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules

    0
    Comment actions Permalink
  • Avatar
    Sean K

    I don't see how I only target "traffic to internet" and port 25?

    Without blocking vlan traffic.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Sean

    Sorry, this is not supported in the app yet. You may email help@firewalla.com, we can help create a rule in the box directly.

    0
    Comment actions Permalink

Please sign in to leave a comment.