Exceptions to Block All ?
The primary reason for buying the Blue+ was to protect my NAS servers from the cryptos and lockers attacking NASs lately. Normally, my NASs don't need access beyond the LAN, but, they do need to check everyday for updates to the Anti-virus signature database.
I set up 2 rules.
One that blocks all internet access in and out for the device.
A second that blocks inbound traffic (recommended by Firewall rule wizard) but allows outbound traffic to the domain of the anti-virus database provider.
Will this work or will I also have to allow the inbound traffic to get the downloads?
Will the specified allowed access create an exception to the block everything rule?
Thank you from the newbie.
-
@michael Bierman (your response seems to be missing)
Thank you for the thoughful and thorough guidance. Sorry it took a while to get a chance to circle back here.
Every smart device (computers, tablets, phones, TVs, media streamers) needs to reach the NASs because that's where all their files are kept. All of the smart devices can reach the NASs for file reads and writes without issue.
The IoT devices (cameras, doorbell, thermostat etc) only need internet access because their storage is in the cloud, not local. The router has a "separate" guest network which has a different SSID and only allows internet access, no access to local devices. All of the IoTs are on the guest network so that separation is being handled by the router.
Not sure of the rules precedence.
- Devices > Groups > Networks > All devices
This looks like order of specificity from most specific to most general. Correct?
These are the rules that I created for one of the NAS in order for the NAS to get antivirus database updates but block everything else. (I haven't tested these yet because the built in firewall on the NAS is set to block everything and effectively keeps the device off the internet but also blocks the AV updates. Once I'm sure that Firewalla will do what I need, I can disable the device's own firewall whic is really just an internet on/off switch)
One rule would explicitly block ALL inbound and outbound traffic to the device. The other would allow the outbound traffic only to the AV database location. (the Allow conflict would take precedence over the block just for this one destination, correct?)
Rule1
Action:Allow
Matching:Antivirus url
On:NAS Device ID
Direction:Outbound Only
Schedule:Always
Rule 2:
Action:Block
Matching:Traffic From & To Internet
On:NAS Device ID
Schedule:Always
-
Rule 2 can be just traffic to Internet since by default you already have a rule blocking incoming traffic from the internet (unless you deleted it, which is strongly not recommended) don't duplicate rules. That can lead to issues.
Not sure of the rules precedence.
-
Devices > Groups > Networks > All devices
When there are conflicting rules:
- Devices override Groups
- Groups override Networks
- Networks override All Devices
- at the same level, ALLOW overrides BLOCK when there are conflicts.
see https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
How are you separating smart devices and IoT devices? If all devices are on the same network you can't block communication between them. For that you need something like Gold or Purple, and you can use VLANs to separate the traffic.
-
-
Thanks for the clarifications!
"How are you separating smart devices and IoT devices? If all devices are on the same network you can't block communication between them. For that you need something like Gold or Purple, and you can use VLANs to separate the traffic."
The router's guest network is a VLAN with acess to nework resources blocked. The guest network devices can only see the internet. I've tested this by running a smart device on the guest network and it couldn't ping any devices on the primary network.
Please sign in to leave a comment.
Comments
3 comments