Domain not being blocked
I won't say that this is a bug, but rather it's an oddity that I can't explain. To summarise, it appears for a device on my network a 'to the internet' block fails to block traffic to a given domain but adding to that a specific block for the domain does block the traffic.
So, I have an FWP and many devices, one of which is the home NAS. I'm quite neurotic about the NAS and so I've set rules for the device such that there's a total 'from and to the internet' block and then I allow outing traffic for the domains that I know the NAS needs to work, eg 'synology.com', 'plex.tv' etc. Occasionally I see traffic being allowed that doesn't match any of the allowed domain rules, and so the first query is how can that happen? One such allowed flow was for the local newspaper website, which my wife on her phone may well have visited but I can't imagine NAS ever doing.
The other issue is one that I'm now seeing every few days, which is when the NAS calls out to 'quickconnect.to', which I find troubling because QuickConnect is disabled, but why would that flow not have been blocked, because the domain looks nothing like any of the allowed domains? If I set an explicit block for 'quickconnect.to' (to compliment the to-from-internet block) then the flow is blocked, and so why would a specific block catch the flow but the general block not catch it?
Thanks!
-
Tap on the flow that's not blocked, and check the byte counter (how many bytes send and received), if it is just a small number or either direction is 0, it is highly likely just a display UI issue, and the actual flow likely blocked. If not, let me know, we can open a case and see the inside.
Also, make sure you don't have global allows, those will override a lot of things. see https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
-
Ah, now this smells strongly like a bug.
So the NAS is generally a very 'quiet' device and so if I look at the traffic flows I can see endless NTP calls interspersed with sporadic bursts of activity when the NAS hunts for package updates etc, and this makes it pretty easy to spot anything unusual. Today a spotted a supposed allowed flow to 'www.eonnext.com'. Now eonNext is our energy provider (UK) and there's no earthly reason why the NAS would be reaching out to that domain, however my wife was visiting that domain on her laptop at around that time and so it's smells very much like the FWP has mis-attributed the flow to the NAS. Curiously though it's likely that my wife was visiting the domain 1-2 hours before the FWP attributed the flow to the NAS and so maybe there's a caching issue.
This isn't the first time that I've seen such oddity in the NAS flows. Last week I saw an allowed flow out to the domain of our local county newspaper, which the NAS would never need to do but my wife visits the domain frequently. A few days ago I spotted an allowed flow to www.stripe.com but there's no payment system on the NAS.
In all those cases I would previously have questioned why the NAS' rules didn't block the flow but now it seems clear that the flows were not actually from the NAS at all. Is this a known issue?
Please sign in to leave a comment.
Comments
4 comments