New Firewalla Owner - Looking for Best Way to Block All with a Whitelist
I just got a blue plus installed and so far I'm loving the insight into my home traffic. What I had been doing for my teenager is I've got her on a linux flavor laptop and use a firefox addon that allows me to block or allow access to sites. We still have her on a block all except those that we specifically add for her, so whitelist only. So far its worked pretty flawlessly until just recently....Not sure how the addition of the firewalla could have messed it up but the timing is perfect if somehow?. The addon has been doing some strange stuff last few days reversing my rule. I'm wondering if I could somehow mimic what I've done on that browser extension blocking everything except whats in the whitelist with the firewalla with a rule/list? Any advice appreciated.
-
First, in theory, it is NOT possible to mimic browser extensions on the network. The reason is browser extensions have full visibility of all the data. (remember browser can decrypt https). Meaning, the browser knows if user access A, and A include B and C, to also allow B and C. Where on the network, it doesn't know B, C ... which are made from A.
-
Firewalla can Block many many things and have complex lists. It just does not have the visibility a browser has to unencrypted data (which is a blessing or a curse), without this, firewalla is going to be very difficult to understand to allow all the sites triggered by a single web page
-
I get that part about the lack of visibility into encrypted traffic. It can't do that without a trust/certificate on the browser but I guess I'm kinda confused by some of the other features it can do. Turn off internet, block facebook or youtube. Seems to be you're saying it can't do stuff that are in its feature set already to some degree. Its kinda confusing.
-
Let me give you a better example
* You applied rule to block all internet on device
* You allow "netflix.com" so that the device can watch netflix.
With firewalla, this is exactly what you will get, netflix.com domain and subdomains unblocked. But... if inside the netflix.com site that access say another_super_fast_cdn.com for it to work, then the "allow netflix.com" will not work (from the browser/app perspective), since firewalla does NOT know another_super_fast_cdn.com may be related to netflx.
Now, it is highly possible to manually implement per site with something we call a target list ( a pre-configured list). But this will require you to list out all the domains accessed by netflix.com. We've done this for a couple of none profit organizations with special needs kids before, nothing more than watch the network flows and add them to the targetlist.
https://help.firewalla.com/hc/en-us/articles/1500005941962-Firewalla-Feature-Target-List
-
Yeah, I can see where that could be a problem. I have had to deal with that before with some other products I've used. I guess you might say the firewalla in this situation is better at blocking or denying access than allowing access because there might be other domains nested? Is that about right?
-
On the network level, it is always hard to block all and allow some. This method does work well with simple IoT devices (except ring ... which goes everywhere...), if someone can dynamically keep a profile of things. But for complex devices like an iPhone or iPad, it will be much more work, meaning, I can get it to work, but a month from now, it may not work.
Please sign in to leave a comment.
Comments
8 comments