I am getting a lot of "Blocked malicious site X from accessing machine Y" messages on Firewalla Blue.
I am happy that it is blocking stuff, but I would like to understand why it is doing it. I suspect I am seeing these messages because they are valid and I do not understand them, but I am concerned that I have a poor network setup and the messages are really telling me that I could do better.
The network is one at home, with several machines connected, but I'll simplify and look at the worst affected one.
- I have a linux server running a service on 192.168.1.4:8080/service
- There is a second linux server running Apache2, listening on 192.168.1.8:443 and with a reverse-proxy to the first server at 192.168.1.8:443/service . I'm using Letsencrypt for the ssl.
- I have a fibre router providing my internet connection. This is set up
- - to port-forward traffic on 443 to the Apache server
- - to port-forward ssh on 22 to another system, and 1193 to Firewalla
- - to (as far as I can tell from the docs) not port-forward any other ports
- Firewalla is directly connected to the router, as designed
My limited understanding is that the router should be saying "not port 443/22/1193, so ignore the incoming connection". But Firwalla is reporting large numbers of "malicious site X was blocked from 192.168.1.4 on destination port 45902"
I thought the router would simply ignore that, due to the port not being forwarded, so it would never enter my network. I'm glad that Firewalla is stopping it, but I would like to know why it has to, and if I could stop it earlier.
Plus, I'd like to understand the method that a potential attack on a port my router is not forwarding could be destined to a machine behind a router firewall and proxy. (I'd understand it if it reported port 443 - that's being forwarded!)
Please sign in to leave a comment.