Hide blocked flow messages for a device
About 98% of all flows through my FWG are blocked. These are from a single device (a network video recorder) which tries to phone home to China, the US, anywhere of about 15 destinations it tries at a rate around one per minute. This block is what I designed to happen so I am happy with that, and my configuration gives me external access to the NVR (via VPN). However, it would also be good to have a way of telling the Firewalla not to bother displaying those reports so I would have greater clarity to read the other 2%. This would involve hiding "blocked flow" messages from a single source such as a net (10, 172, or 192), or subnet, or IP address or MAC address. Any one of those targets would do the trick.
I assume the specific report data would be retained, just able to be hidden when reading. It might also be done with more difficulty by target IP but this is not Muting an Alarm, it is hiding part of the data in the blocked flows report.
Is there a feature I have missed that does this? If not, might there be?
-
Hi Chris, thank you for your suggestion. If I interpret correctly, you are suggesting an iptable rule which would fire in advance of rules inserted (are they in the same table?) by Firewalla, and thus they would be blocked before the FWG even noticed. Is that the idea? It is unclear whether it would work but it may be worth a try.
If so, I will need to do some more reading. I have not yet attempted to ssh into the FWG, my Unix skills antedating Linux and therefore being substantially forgotten, but that does not make it unable to be done.
-
My solution proved easy in that it was already present but I had not yet recognised the fact. My device is a Gold and the NVR is on an isolated subnet, so instead of looking at the topmost report which aggregates all subnets, it was a simple matter of looking at the network detail for the subnet of interest, thus excluding the NVR.
Aaron R's suggestion of groups reminded me that networks are already distinct. I should have thanked him for the trigger at the time, and do so belatedly.
-
I was going to post a similar feature request.
I blocked surveillance cameras from accessing the internet, these constantly ping two cloud sites from the manufacturer and generate hundreds of thousands of hits per day. There are so many that it makes hard to look at the rest.
My request is not to hide blocked items from a specific device but hide the items themselves.
For example if you were to block "google.com" and see 10,000 lines a day on the block flow, add "google.com" to a hide status so it is not visible from the main block flow but a sub flow for hidden items only.
Please sign in to leave a comment.
Comments
6 comments