Products Firewalla Gold Firewalla Purple Firewalla Blue Plus Firewalla Red Firewalla Blue

Why are some flows not blocked automatically

Follow
Avatar
GThijssen
  • Edited

As I have 2 webservices (home assistant and unifi controller) available behind my router (router>firewalla purple in bridge mode> all the rest of my devices) I have a reverse proxy server installed behind the firewalla to manage this to avoid exposing everything to the web. My router has port-forwarding on port 80 for this purpose to the proxy server. Firewalla is in strict mode.

Now when I look at the flows there is are a lot of flows ending up on the proxy server (about 1000 in 24h). Most of these are from very dubious IP numbers when I look them up (eg Cisco Talos or AbuseIPDB tells me this under security infoi).

Few questions:

1) Why does firewalla not block these automatically? These are clearly listed malicious IP's  I would expect they get blocked automatically

2) As they are not automatically blocked, I would love to  block them before they get to the proxy server. What would be the easiest way? There are so many and so many new unique ones, that I need to setup some kind of rule. Some advice appreciated.

3) In some cases I see multiple KB upload/download. Many around 5KB but sometimes even 300KB. What does that tell me? Seems like a lot of data for an attempt.

4) In many cases I see port numbers used by these flows that are not open on the Proxy (according to firewalla) nor are they open on the router which has only 80 & 443 open (according to firewalla & checked) how can this be the case?

 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Firewalla

    Did you insert a allow rule when you did the port forward? when you do that, it pretty much gives an exception to all traffic. (except the really bad actors, those will always be blocked) The ones that does web scans or crawlers will be allowed.  You can find out more here https://help.firewalla.com/hc/en-us/articles/1500009502622-How-to-limit-access-to-open-port-or-port-forwarded-

    If you are running a web service or proxy to a web service, the amount of data is really managed by your server, so you need to look at the service running. 

    If you worry other ports are getting in, double-check your "allow" rules. you should have very very little of them. 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post