Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Are rules really hierarchical?

Follow
Avatar
William L. Kunkle

I'm trying to figure out how to give the teachers/staff on my network unrestricted access to YouTube, but block the same request by everyone else.  Here's the steps I took:

1.  Created a group containing all 21 teacher and staff computers (i.e., Teachers&Staff).

2.  Created a rule allowing Teachers&Staff access to All Video Sites.  So far, so good.

3.  Finally, I created a rule blocking Youtube.com from either "All Firewalla's Devices" (which I interpret as "Global") or "LAN".

This last step messes up full access to YouTube.  I've also created a rule to block access to "All Video Sites" instead, but no luck.

The User Manual states that Firewalla's rules are hierarchical (i.e., Family Protect/Safe Search is the highest priority, rules for devices are #2, rules for groups are #3, rules for networks are #4 and rules for "global" is #5.  That, and if two rules are at the same target level, then "allow" has higher priority than "block".

My example, however, seems to fly in the face of this advice.  What am I doing wrong?

Thanks.

Bill

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    William L. Kunkle

    What I mean by messing up full access is:  1) I can get to the youtube home page, see the listing off all the youtube videos I should be able to see, but the video images (i.e., thumbnails) are missing and I can't play them, or 2) I get to the youtube home page, but the system thinks I'm no longer connected to the internet, so I see no listing of text or videos.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    not all allow are the same. Meaning, you block all internet and allow one site, may or may not work all the time. The reason is, what's under that site may change and access many other things. (this is especially true to google)

    So the best policy is to focus on blocking based.

    1. Create a group for all the students (for example) and then block video (or just youtube)

    2. Use new device quarantine feature and block video on the quarantine group

    That should make everything work. 

    0
    Comment actions Permalink
  • Avatar
    William L. Kunkle

    Thanks.  I went ahead and created six groups to represent the devices used by our students, one group to represent the devices used by our teachers & staff, and one group to represent the devices that are part of our infrastructure. I then went through and first created LAN-wide rules to block objectionable sites.  Lastly, I created rules for each set of sites or application that I wanted to block group-by-group.  It seems to be working (fingers crossed).

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post