updated subject: Creating outbound rule silently creates mirrored inbound rule

Comments

34 comments

  • Avatar
    Chris Thomas

    @Firewalla,

      I don't think this is enough; if IT Professionals do not accurately understand the differences between unidirectional and bidirectional firewall rules or when to use them, how can there be any expectation that less technical people would understand when it would be appropriate to select 'outbound only' vs 'bidirectional' ?

      The problem is that most people don't what TCP is, or that a stateful firewall will automatically allow the response (inbound) traffic associated with the 'outbound' flow that was initiated (or has been established) from the endpoint inside the network.  Thus, when presented with the question "do you need to allow this traffic bidirectionally?", they almost always select 'bidirectional' because they believe that they need to permit the return traffic from the destination endpoint.

      It is my opinion that we need to completely eliminate the use of, and any reference to bi-directional firewall rules from the Firewalla platform.

    ..ct

    0
    Comment actions Permalink
  • Avatar
    A M

    @Firewalla,

    First of all... wow! I do really like what you've done with this system in general (yesterday was my first day with this hands on vs just reading about it). Also super impressed by the quick roll out of this fix/correction.

    Now, per Chris' comment above... I'm no pro and likely will not run extensive tests to give you technical feedback/validation that every last hole is plugged. That said, I kept thinking about this from an UI perspective... in particular, how often would one REALLY need to have what we've called a "bi-directional" rule in a statefull firewall.

    My example use case is that I have several homekit cameras that I want to put on a VLAN with no WAN/LAN access, with the ability to only initiate a connection with an Apple TV on a different VLAN. Then, that Apple TV will also need access to the cameras but that is inherited from the VLAN to VLAN policy (I am OK devices on the Apple TV VLAN being able to reach devices on the camera VLAN). Even in this case, there is no need for a "bi-directional" rule because the other network policies take care of things.

    Bottom line, I don't think having an option for creating a bi-directional rule presents any major convenience or time saving that would make up for the potential risks and user confusion that this option creates. Like Chris, I think making all rules "uni-directional" and updating the documentation is the best path forward.

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    @Chris Thomas

    These ACLs, which would have to be implemented on the router(s) or switch(es), would be stateless rules.


    Fair enough, that is technically the accurate description… I was trying to cut down on the technical jargon so I likened in the firewall between (V)LANs as having stateless rules, to be a bit more inclusive of users without much exposure to firewalls in general…so if they wanted to, they could Google the difference between a stateful and stateless firewall to get the general idea.

    Yeah moot point of course though as you said with respect to the subject of this thread, but for educational sake / technical accuracy “stateless ACL’s” as you nicely put it is the deal.

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    @Firewalla : Thanks!!!

    @Chris Thomas 

    I initially overlooked this when I read @Firewalla ‘s last response above, but just WRT the warning, are you calling for something more?

    The warning is a good idea, we will add that to 1.48

     

    Thus, when presented with the question "do you need to allow this traffic bidirectionally?", they almost always select 'bidirectional' because they believe that they need to permit the return traffic from the destination endpoint.

    Yeah I’ve seen a good number of users new to firewalls automatically do this too when they post screenshots of their firewall rules in community support forums when asking for tips for their ‘prosumer’ or basic/simplified SOHO/Small Business routers that have configurable firewall rules….

    Without knowing what a stateful firewall means practically speaking, beginning users get the impression that they need to create ’Allow’ rules in the Inbound Rules section for a return web traffic or whatever, and/or some of them sometimes will think if they need to delete the default Drop/Block Inbound traffic from WAN rule (or change it to Allow) without realizing that they are essentially disabling their firewalls’ protection against Internet traffic all together!

    For WAN rules, The warning for the bidirectionality might need to say something like: ‘Only do this if you know what you are doing and you understand the risks’ 

    For (V)LAN to VLAN rules, The warning could be a little less severe and say something like: You may not need to make this rule bidirectional in many cases. If you’re not sure you need to enable this, try first using your devices involved without making this rule bidirectional for better security between your local networks. For more info and best practices, check out <Firewalla support site url here>’


    Maybe somebody has a better opinion though.

    1
    Comment actions Permalink

Please sign in to leave a comment.