WARNING - Allow rules to IP or Domain are BI-DIRECITONAL!
WARNING!!!
If you write an ALLOW rule to permit a Network/Group/Device to a specific IP Address or Domain, without a port defined, the rule is BI-DIRECTIONAL! Firewalla considers this an 'exception' to any 'block' rules, including the default rule that is designed to block inbound traffic from the Internet.
This means, if you are running IPv6, and you write a rule to allow a device in your network to Domain "ipv6scanner.com", Firewalla is now allowing traffic from ipv6scanner.com to the IPv6 addresses associated with the Network/Group/Device defined in your rule, on all ports.
Simply modifying the IP Address or Domain rule to include a port, appears to result in the rule being created as unidirectional.
https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
Reference Posts
[Feature Request] Allow stateful outbound traffic instead of just allowing in and out
https://help.firewalla.com/hc/en-us/community/posts/4405028934931
Device to device rule vs target to device rule?
https://help.firewalla.com/hc/en-us/community/posts/4406620003219
Recommendation to Firewall team
These bi-directional rules are unnecessary and present a huge security risk for anyone who doesn't understand exactly what Firewalla is doing under the hood. Additionally, the fact that the behavior varies depending on whether you define a port or not, makes this even more complex to understand.
I recommend that you completely eliminate bi-directional rules from the Firewalla platform.
...ct
-
@Firewalla Team,
There is already at least one feature request [https://help.firewalla.com/hc/en-us/community/posts/4405028934931] out there to eliminate the use of bi-directional rules, and given the potential risk of those with IPv6 enabled networks inadvertently exposing their devices as a result of misunderstanding how and when these bi-directional rules are created, I think it would be prudent to leave this post in the General Discussion space.
-
I agree. This isn't a feature request, its a security hole that needs fixing yesterday.
I'm really struggling to figure out how this made sense to anyone to design it this way in the first place, you clearly have some very talented PM & Dev engineers at Firewalla, but this behavior literally goes against ALL the norms of building a security device.
Can someone at Firewalla explain how you got here? What scenario were you trying to solve? I can't figure it out, and honestly, my curiosity is now getting the better of me... because every scenario I think of that this behavior breaks is one where I want to be more secure, not less...
Scenario 1:
I have an IOT / untrusted network that I want to separate from my trusted network, so I create 2 VLANs and block inter VLAN traffic. At this point I'm good, I have all my IOT stuff partitioned off, but some of that IOT stuff, or maybe a printer, I want to be able to connect to directly when I'm at home, so I create a rule to allow traffic from my trusted network to my printer, everything works, I can print, but what I don't know is that my printer, on my untrusted network now has complete access to my trusted network... I can't check this, because my printer has no terminal I can SSH into and trying pinging back to anything... but should someone manage to hack my printer they now have nothing blocking them from poking around my trusted network, which is exactly why I set up a separate VLAN in the first place.
Scenario 2:
I lock everything down super tight, I have a VLAN that for whatever reason I only allow access to a curated list of websites / services, maybe I'm a business and I only want people to access very specific sites. So I block everything and set up some very specific "outbound" allow rules. I think I'm good. But in reality what I just did was open up that VLAN / Group / specific device to the target domain / IP on the Internet that I set up in the rule (assuming I wasn't smart / lucky enough to set up 2 rules for every web site for http & https and whatever ports whatever the service was that I was trying to grant outbound access for). I have no way to test this or be made aware of it because I can't run a port scan from https://www.somewebsite.com back to my FWG. BUT... I do occasionally use the Open Ports scan on my FGW and it says everything is rosy... but its not, because its not testing from any of the domain / ip addresses that I've configured an allow rule for...
I would love to know, as I'm sure others would, exactly when you will fix this security vulnerability, and exactly what scenario was envisioned that this behavior made any sense in?
You have a ton of community support / good will because your product is good, but you have to be transparent about how you got people into this state and what you were trying to solve for in the first place.
If anyone reading this isn't concerned then they should go read up on what a firewall is and how they work, because if you've configured any rules on your device you are probably not getting what you think you paid for.
-
Originally the Firewalla software did not offer the "allow" option (allow feature was only added about 12 months back), a few of us feel it was not needed. Until rules get complex and customers start to demand a way to give exceptions to "blocks". Meaning, the original demand for the allow was primarily driven by "let me talk to a trusted server". So the allow rule is really. the exception rule, that gives trusted server access. In the past year, we started working on control the "exception", for example, you can open ports better with this https://help.firewalla.com/hc/en-us/articles/1500009502622-How-to-limit-access-to-open-port-or-port-forwarded- which is a way to limit ports "allow".
All of our developers agree on the directional allow rule, so they already started the work, hopefully, a version of it will be in preview in 5 days.
-
@firewalla I hope your developers will go through the full test on these things.I am a developer myself while hacking away code is good, just please do not do a half ass job and break things!
And, thank you for listening! I am a red/blue/Gold and future purple owner :) The reason I bought your box is I know you all care about the product!
-
@1980cyber I’m sorry but what a pointless comment. Can I ask you what you think firewalla response would be to your I’m a developer please do not do a half ass job…seriously. Of course we will do a half ass job at cocking everything up, because we don’t know what we are doing. Please advise the best course of action.
Please sign in to leave a comment.
Comments
7 comments