Firewalla rules - ports

Comments

7 comments

  • Avatar
    Jan Baniewicz

    Second link move me to this topic.
    First one do not reslove issue about two (rules global one and device one) witch are against each other.

    Ok i figured out why it working on one and doesn't on second. 

    It working one situation, there is emergency access on devices witch has port opened.

    Soo... How can I configure global rules not to accept any inbound flow from internet to local network except from some particular ports opened ?

    What if i turn off global rule not to accept inbound flow ? Will it automatically allows "attackers" to test ports/local area on my network or try to access on any not opened ports?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Port forwarding doesn't necessarily mean that there isn't a rule blocking the connection. For example, you could forward port 8080 but have a block on traffic from the region you are in. Check that the Allow on Firewall is on or that you allow traffic to the device from the internet. If you do this, it will automatically create a rule but the rule might not be set the way you like. For example, I have an open port which only a specific range of IP addresses can access. If you need a special rule, leave this unchecked and go make a rule like I describe next. 

    As you say, there is a default rule to block all incoming traffic even if you didn't set it up. 

    So keeping in mind that the precedence is Device > Group > Network > All Devices... you need to allow traffic on the port in question to go the device in question. This rule should be on the Device/Group, or Network. It would not make sense for this rule to be on All devices because you only want to allow this traffic to one device. 

     

     

    0
    Comment actions Permalink
  • Avatar
    Jan Baniewicz

    Ok i understand that. Still if i would like to open just one port on one device i create it under this device rules IE 8080 port for Access from internet. But still if i have global network rule made by default to block all incoming traffic from internet this device is not accessible from outside. So is there any option to prioritize that devices rules ar superior to global rules if they have opposite action:
    Network rule - no internet access to any device
    Device rules - Access from internet just by one port

    Is it possible to to block rest of Internet incoming traffic flow except of one device port rule ?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Device rules are always higher importance than anything else if there is a conflict. Second, ALLOW takes precedence over BLOCK at the same level in the hierachy. 

    There is (or should be) an All Devices rule to block ingress (WAN > LAN) traffic. You don't need one on the network. Having duplicates can cause issues. Check to see if you have a duplicate block rule. 

    0
    Comment actions Permalink
  • Avatar
    Jan Baniewicz

    It seems very logic what you wrote.
    Current setting:
    All devices rules:
    Block - Traffic from internet All devices

    Device rule ("J"):
    Traffic from internet J UDP Port 30000-39999, Inbound only, always

    Traffic from internet J TDP Port 30000-39999, Inbound only, always

    When i turn off emergency mode and turn on monitoring those ports are blocked.

    When monitoring off, emergency on - are opened.

    No other rules then this and Active Protect Rules Default Bundle arent turned on.
    So what's the issue?

    How would upnp works in this situation?

     

    NO. That's false info. I do not erase it till further tests. Some ports appears to be closed by device and some are opened as they should be. Will write back after next tests...

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Those are a lot of ports to leave open. Do you really need to do that? 

    0
    Comment actions Permalink

Please sign in to leave a comment.