Target List limitation
Suggest that the target list not be limited to 200 entries.
-
I think dynamically through GitHub is better. My GitHub threat list is about 6,000.
See this as a practical example.
https://raw.githubusercontent.com/C0ntr07/Pi-Hole/main/Iranian_Russian_Ukrainian_IPs.txt -
My view is that we all need to look out for each other and share our knowledge with those who don’t have access to the security sources some of us have.
We have to help protect other from ransomware, zombie networks, data theft, banking fraud … imagine if Firewalla can impede the operation of the Russian Password Stealer!
-
https://www.reddit.com/r/firewalla/comments/v29dk6/my_additional_ads_target_list/
Not like reddit name is secret.
-
I'm using https://github.com/gorhill/uBlock. It imports several other lists. As a quick workaround, it would be cool, if you can include the missing entries from this to the firewalla native ad block list or increase the 200 target list entries limit to at least 6000-10000 entries.
-
I would like to see a greater quota allowance for target lists too. hitting that today, and its infuriating to see that not only do the individual (NON MSP) limitations are there as they are, the same 20 list limitation is also for MSP's as well.
Granted I am using the 6 month special for MSP discount due to exchange rate, but why is there a 20 list restriction even on MSP? there is a LOT of stuff out there for a SysOp to block...
-
Firstly, a Giant Thankyou for raising the MSP list restrictions from 20 to 100, Just wonderful!
you are awesome and keep up the great work!
I have streamlined my Approval and Blocklist to Pigeonhole things as much as possible which has worked wonders for everyone involved.
Now the Current Setup;
I am using them in a (Exotic) way because there are things that I want talking to only one website or domain. EG; you have your IOT devices blocked from the web - this is VLAN wide, however the firewalla presents an advantage of the allow list being a priority over the blocklist, so the internet is blocked, but the IOT devices can be approved to talk to Head Quaters for their cloud features. (Amazon, Google, Facebook, ETC) all that privacy invading stuff. (This serves as a method that it can operate with firmware updates and alike that aren't supported by home assistant, and if a device is compromised, it limits the exfil of data to a degree or being a botnet... This is Akin to your Device Active Protect before you made it a thing, where it pigeonholes things for safety, however many devices in my network the DAP is not compatible with (I don't understand why), and is a setup I previously had with OpenWRT.
the other setup for all my lists is just simply a variety of things among the group of Users setup in the house, (you would call them kid controls, I call them Parental Controls because Parents are stupider than their offspring when it comes to online safety) which requires their own list to manage blocks and approves. (Again, Pigeonhole) and while the Firewalla does a great job on using Domains to categorise websites, it can at times be innacurate (due to reporting) or the false positives that get into some blocklists. (cat and mouse as always). they are community driven so it happens.
One would argue (and I have had this with the Adguard Home Devs) that I run too many or too large Blocklists at a time, however, I want to keep things private and within the home, while having some semblance of functionality, a gimped device is still useful in a home rather than a useless paperweight due to 'ET cannot phone home' issue. (and you have the above exfil data problem, so privacy is thrown out the window... I argue why cannot I have a compromise on that? some devs need the analytics to their opt in open source software to better it..) so, the lists both baloon out, and broadly how many you require.
Who Has time for all that?
Parental controls, to save parents from themselves and I have done this aggresively for years to the point its a little financially lucrative to firewall elderly in from bad domains or poor 'default' setups that are too open for convienience.
From there, due to the cat and mouse of everything, and while groups are handy, there is the flaw of a user with many ecosystems of devices, (Lets just say Apple, Google and Microsoft) and how you want to block things at the firewall level (because your limited bandwith in Australia and every other third world country that devices don't always need to phone home 24/7 or god forbit "THE INTERNET IS DOWN" because the person at the other end of the house is yelling at me the moment it does before an onslaught of push notifications tell you that 'we've lost connectivity with XY IOT device etc)... Hell, the fact so many devices ping time servers every 5 minutes due to poor coding that is EATING at the bandwith you have left that going too high or too fast on the connection makes it drop (yes, this is a genuine thing here in Australia, things can be so unstable your SPEEDS break the net).
Precious Bandwidth and NTP/NTS Servers
so I copy a blocklist on all the time servers;
And while the Firewalla has a NTP 'Capture' function, it is still rather flawed I have found (as have others), one was a poster who manually SSH'd into his unit and set firewall rules to capture the traffic and force it to local (more agressive than the intercept default method) and the others on here
who are seeing the NTS takeup and the NTP intercept is no longer fully functioning across the network (which again, is Cat and Mouse) Also how companies are using NTP to exfil data out of your network, (time is handy for location and tracking) this is simply a growing concern as users (as have always) fight for their privacy, (and I know thats either hypocritical or Ironic given the devices we use daily, but there are limited alternatives for old people (due to products or userbase not being mature enough)
so, that adds to the ever growing lists in use and the firewall having more demand put on it. (which is fine, the expanded ram helps, but is annoying when restoring becasue you broke something..) that happens.
Split Horizon/VPN and Smart Queue
From there, you then have the Split Horizons setup, this is helpful, handy, and serves two purposes, where you want to have the router designate the connections to whatever server (streaming service) to another country (via vpn) to consume the content, and if anyone asks you went to europe for a weekend. this also allows the smart queue function (loved that it was beta for so long and then stable for the guys birthday, legends!) to prioritise the traffice to those places because the firewalla's automatic 'Video Streaming Sites' list is not noticing the traffic correctly or at all (you can manually add your domains but they seem to fall off the list every now and then, that was not a functional setup for me. so, you are routing things all over the place among the split horizon and at optimal prioritisation and limits. So, those functions are crucial to me and my operation. (I was most sad you said it would stay in beta because it seemed no one used it, (Remember my comment about devs needing analytics before?) and yet once you made people aware of it, BOOM, Stable tree! :D
(There becomes a point where something is so feature rich that a newbie got NFI what to do or how to do it or even that it can, so your emails are great for that, keep them coming, but don't forget to remind people of these old features in passing!)
Great work on the Disturb functions (supporting Target lists now too) so thankyou. Time Limit I am sure will make its way to supported soon enough.
Now, we come to the fun part, after all that it was easy to his the 20 file limitation. (what is simple text, storage should not be a problem), and with the size of them... 2000, that is then a memory limitation as the more routes and connections can consume your RAM like no tomorrow.. (Those old Motorolla Cable Modems were fun as I would crash mine every 2 days due to the sheer number of connections at any one time) (hundreds of thousands), and required a fan to keep the damn chips cooler.
Other Target Lists;
While it can (and has) been moved to the 'main approval' list of mine, things like Torrent Trackers fall under the 'tracker' slogan so the firewalla blocks them, this became quite frustraitng and put me at the 2000 number limit for lists here and there so I had to split them up and that was fine.
Devices and Trackings;
Again, there is that Privacy concern, so devices or blocklists from brands of devices is kind of crucial, and as mentioned above, users who have many different brand devices, (the home has its own share when dumb stuff like fridges want internet), and equally, one thing many don't think about are Guests and either their privacy requirements or exposing that of your own via them as a proxy. (which we know from Pairing up WIFI access)
so, the brands listing from Hagezi very much assists with that, but it does push the envelope on the 2000 items restriction, some lists need to be split 5 or 6 times;
- dns-blocklists (Native Device Tracking)
Now, that will not suit everyone, hell, a complete noobie can block such things and then you have all the support calls dealing with it cause they basically blocked their own device, however, this should not be an MSP issue as thats targeted at the Prosumer/Tech Guru/Tech Youtubers that aren't Linus tech tips.
So, while the Item limit raise seems a bit of an ask at this point, I humbly ask that if possible, the entire Hagezi fleet of blocklists be added to the MSP, again, Opt in, and pointing out devices and such will break, but I rather it be a possibility rather than default on because people can be idiots when it comes to networking.
Finally, The Open Ports, Internal Exposure;
Letting things IN the firewall to your network due to hosted services.
- dont expose it to the web, just don't
a common comment from people, and I get it, newbs shouldn't have their stuff exposed. (shout out to the Open Port Scanning Feature, I have some feedback on that too.)
Sometimes some devices do not have or support a VPN,
sometimes you need things to be behind a domain, but custom DNS servers for devices are a challenge due to their hardcoded dns (looking at you Home Assistant!) and while domains fall under the perview of certificates and their respective authorities that release them, there are some countries on earth that do not allow VPN's and block them (Which we have Amnezia in Beta, so thankyou) so having something globally accessible to ASN ranges of ISP's limits that threat matrix and intrustion, sure its still exposed becasue any connection could be a hacker, but its pigeionholed from what would be Global Access, to just a few thousand people. (so, again, another Access list taken up there), this also can co-incide with the split horizon above, and I appreciate the fact I can dedicate a device to a VPN if needed to route everything that way. phenominally easier with firewalla so again, thankyou.
So, How am I using the list? about every damn feature you put on this box and I LOVE IT.
so, A Big thankyou for reaching out and listening, and so quickly raising it after my comment. *chefs kiss!*
But there are some ceilings to it, and I have to go upto a Business plan on the MSP to compensate.
which moving from the Professional BF2025 deal atm of 6 months free, to the Business plan, raises it to $450 A year just for one Box on my own, however, would free up seats for other homes in the family to manage them and lift them off OpenWRT and the horrendus UI. (Ironic people ask firewalla for a website function on these boxes..) And while you could maybe run two logins across two seperate boxes and then copy paste everything (maybe even script it to sync them via the MSP API if adventurious enough) would be cheaper that way, I still value the product and Understand you need food on the table, so I see peoples complaints asking for a 'prosumer/tech enthusiast' seat of two admins (be it two friends, or Mum and Dad), and manage the networks that way. Not to eat profits or savings, even just a double of the basic MSP price and get two seats, I'd be down. the above juggling and setup justifies it, and while the USD is painful to anyone outside the USA, it's consumers choice if they want to pay for the convienience.
so, Paying for peace of mind, worth every penny.
(Open port feedback, it's great it says no open ports, but to enhance the detail to say 'no open ports other than the ones you have open already' to that effect, so I know if something is accidentally open).
So, keep it up, I hope to have answered your question :D be well.
-
@CyberBlade and others in the thread. thank you, very interesting. I wish I had a small amount of your knowledge in this area.
@Firewalla team, incorporation into your lists would help me and others with my lack of knowledge to utilize the various levels of protection. I have walked away from using AdGuard home to using the strictest FW rule sets. Realize not as comprehensive my abilities with AGH but easier to manage with occasional use of not monitoring a device or trouble shooting what is blocking my path forward and creating an allow rule. This is a great thread, thank you
Please sign in to leave a comment.
Comments
23 comments