If you write an ALLOW rule to permit a Network/Group/Device to a specific IP Address or Domain, without a port defined, the rule is BI-DIRECTIONAL! Firewalla considers this an 'exception' to any 'block' rules, including the default rule that is designed to block inbound traffic from the Internet.
This means, if you are running IPv6, and you write a rule to allow a device in your network to Domain "ipv6scanner.com", Firewalla is now allowing traffic from ipv6scanner.com to the IPv6 addresses associated with the Network/Group/Device defined in your rule, on all ports.
Simply modifying the IP Address or Domain rule to include a port, appears to result in the rule being created as unidirectional.
[Feature Request] Allow stateful outbound traffic instead of just allowing in and out
Device to device rule vs target to device rule?
Recommendation to Firewall team
These bi-directional rules are unnecessary and present a huge security risk for anyone who doesn't understand exactly what Firewalla is doing under the hood. Additionally, the fact that the behavior varies depending on whether you define a port or not, makes this even more complex to understand.
I recommend that you completely eliminate bi-directional rules from the Firewalla platform.
Please sign in to leave a comment.