New Firewalla Owner - Looking for Best Way to Block All with a Whitelist

Comments

8 comments

  • Avatar
    Firewalla

    First, in theory, it is NOT possible to mimic browser extensions on the network. The reason is browser extensions have full visibility of all the data. (remember browser can decrypt https). Meaning, the browser knows if user access A, and A include B and C, to also allow B and C. Where on the network, it doesn't know B, C ... which are made from A.

    0
    Comment actions Permalink
  • Avatar
    D

    So no? No can do? Seems like it should be able to....

    It can block access to all sites.....

    Seems like it should be able to do that as well as apply a rule that allows access to a few.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewalla can Block many many things and have complex lists. It just does not have the visibility a browser has to unencrypted data (which is a blessing or a curse), without this, firewalla is going to be very difficult to understand to allow all the sites triggered by a single web page

    0
    Comment actions Permalink
  • Avatar
    D

    I get that part about the lack of visibility into encrypted traffic. It can't do that without a trust/certificate on the browser but I guess I'm kinda confused by some of the other features it can do. Turn off internet, block facebook or youtube. Seems to be you're saying it can't do stuff that are in its feature set already to some degree. Its kinda confusing.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Let me give you a better example

    * You applied rule to block all internet on device

    * You allow "netflix.com" so that the device can watch netflix.

    With firewalla, this is exactly what you will get, netflix.com domain and subdomains unblocked. But... if inside the netflix.com site that access say another_super_fast_cdn.com for it to work, then the "allow netflix.com" will not work (from the browser/app perspective), since firewalla does NOT know another_super_fast_cdn.com may be related to netflx.

    Now, it is highly possible to manually implement per site with something we call a target list ( a pre-configured list). But this will require you to list out all the domains accessed by netflix.com. We've done this for a couple of none profit organizations with special needs kids before, nothing more than watch the network flows and add them to the targetlist. 

    https://help.firewalla.com/hc/en-us/articles/1500005941962-Firewalla-Feature-Target-List

     

    0
    Comment actions Permalink
  • Avatar
    D

    Yeah, I can see where that could be a problem. I have had to deal with that before with some other products I've used. I guess you might say the firewalla in this situation is better at blocking or denying access than allowing access because there might be other domains nested? Is that about right?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    On the network level, it is always hard to block all and allow some. This method does work well with simple IoT devices (except ring ... which goes everywhere...), if someone can dynamically keep a profile of things. But for complex devices like an iPhone or iPad, it will be much more work, meaning, I can get it to work, but a month from now, it may not work.  

    0
    Comment actions Permalink
  • Avatar
    D

    Definitely, I can see where that could be hard to manage but possible.

    One a side note, are there any plans with firewalla to be able to inspect those encrypted traffic in the future? If the hardware even has enough power to do so?

    0
    Comment actions Permalink

Please sign in to leave a comment.