Allow traffic to amazonaws.com

Follow

ape

• April 24, 2022 08:55

Hi have a NAS that is backing up data to AWS.

Because there were security issues with the device in the past, I want to cut it off from internet except data backup and software updates.

So I set up a "Block Internet" rule for the device and want to allow the amazonaws.com domain.

But when I try to save such a rule, I get a message saying "Allow rules matching target amazonaws.com are not supported".

Why do you prohibit a "allow" rule for amazonaws.com

0

• 

  Support Team

  • April 25, 2022 02:21

  Looks like a bug. Are you using iOS or Android? And what's the app version?

  0

  Comment actions Permalink
• 

  ape

  • April 25, 2022 07:59

  iOS 1.49

  0

  Comment actions Permalink
• 

  Support Team

  • April 25, 2022 09:14

  Sorry, I forgot that amazonaws.com is a TLD domain (also known as public suffix), which means lots of domains could be hosted on amazonaws.com. This may cause performance degradation when allowing the whole TLD domain.

   

  May I know why you want to allow it?

   

  Reference:

  https://publicsuffix.org/list/

  0

  Comment actions Permalink
• 

  ape

  • April 25, 2022 09:38

  I want to allow backups to S3 storage.

  0

  Comment actions Permalink
• 

  ape

  • April 25, 2022 09:40

  btw s3.amazonaws.com is also not accepted.

  0

  Comment actions Permalink
• 

  Support Team

  • April 25, 2022 09:42

  s3.amazonaws.com is also an TLD... all s3 buckets are hosted on this domain.

  You may add the specific s3 domain to the allow list, it should work.

  0

  Comment actions Permalink
• 

  ape

  • April 25, 2022 10:11
  • Edited

  There are two domains accesses during backup time. One is region specific (I was able to set that one), but the other is just plain s3.amazonaws.com. So I have no way of creating a more specific rule.

  0

  Comment actions Permalink
• 

  Support Team

  • April 25, 2022 10:48

  Got it. It's a limitation of the app. The TLD domain itself is also a valid domain.

  As a workaround, I suggest:

  1. login https://my.firewalla.com with Firewalla app
  2. create a target list
  3. add the two domains to the list
  4. and in the app, create an allow rule on the target list.

   

  Here is the doc on target list: https://help.firewalla.com/hc/en-us/articles/1500005941962-Firewalla-Feature-Target-List

  0

  Comment actions Permalink
• 

  ape

  • April 25, 2022 12:14

  Good tip! I did set it up and will report tomorrow after the backup is supposed to have run.

  0

  Comment actions Permalink
• 

  ape

  • April 26, 2022 05:16

  The setting with the target list did not work - the traffic was still blocked.

  But while reading https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules#h_407c0ea9-6d3c-4e12-8b0c-80c900f65681, I found out that I can use asterisks in domain name. I tried that on the mobile app with no luck (input not accepted), but it worked on the web interface!

   

  

  0

  Comment actions Permalink
• 

  Support Team

  • April 26, 2022 12:04

  Thanks for the feedback. Will get the team to try it out and report back.

  0

  Comment actions Permalink
• 

  ape

  • April 26, 2022 19:55

  I tried again with a target list with the sole entry "*.amazonaws.com" and it worked this time.

  0

  Comment actions Permalink

Please sign in to leave a comment.