As I have 2 webservices (home assistant and unifi controller) available behind my router (router>firewalla purple in bridge mode> all the rest of my devices) I have a reverse proxy server installed behind the firewalla to manage this to avoid exposing everything to the web. My router has port-forwarding on port 80 for this purpose to the proxy server. Firewalla is in strict mode.
Now when I look at the flows there is are a lot of flows ending up on the proxy server (about 1000 in 24h). Most of these are from very dubious IP numbers when I look them up (eg Cisco Talos or AbuseIPDB tells me this under security infoi).
1) Why does firewalla not block these automatically? These are clearly listed malicious IP's I would expect they get blocked automatically
2) As they are not automatically blocked, I would love to block them before they get to the proxy server. What would be the easiest way? There are so many and so many new unique ones, that I need to setup some kind of rule. Some advice appreciated.
3) In some cases I see multiple KB upload/download. Many around 5KB but sometimes even 300KB. What does that tell me? Seems like a lot of data for an attempt.
4) In many cases I see port numbers used by these flows that are not open on the Proxy (according to firewalla) nor are they open on the router which has only 80 & 443 open (according to firewalla & checked) how can this be the case?
Please sign in to leave a comment.