Canary Firewall lets you drop connection attempts to your device based on the rules you specify.
This works like whitelisting but the rules sit on the device instead of on the console, meaning that your bird can drop all traffic before sending it to the console (this may be useful if your bird is getting spammed from a specific IP or on a specific Port).
NB: It is important to note that you can force your bird offline if you push rules that block communication with the console (i.e dropping traffic from your DNS server).
Step 1: Understand the dangers
There are inherent dangers with adding rules to your device's firewall. If you add a rule that blocks traffic to your DNS server (for example), then your device won't be able to communicate with the console. This will push the bird offline and will require manually reconfiguring the bird to bring it back.
Step 2: Contact support to enable Canary Firewall
If you understand the dangers and still want to proceed, you can send a support request to firstname.lastname@example.org asking for the feature to be enabled.
Step 3: Navigate to device configuration
In order to create your custom services you will need to navigate to remote settings for your device.
This can be done by logging into your console, clicking on the Canary’s panel, clicking on “Device Setup”, then clicking “Configure Canary”.
Step 4: Enable Canary Firewall
Once on the configuration page, scroll down to Canary Firewall and enable it.
Step 5: Add rules
You can add multiple rules depending on your needs. The '+' and '-' buttons will let you add or remove rules.
A rule needs to be a combination of an IP address and/or port.
Leaving one of them blank allows you to specify 'ALL/*' for that rule.
Let's run through some examples:
If you want to whitelist all traffic from an IP (say 192.168.1.200) then you would add the IP to the 'Source IP' field and leave the 'Port' empty.
If you want to drop all traffic to a specific port (say 123) on the Canary, you would add the port to the 'Port' field and leave the 'Source IP' empty.
If you want to block traffic from a specific IP (say 192.168.1.201) on a specific port (say 1234) you would specify both fields.
Step 6: Deploy and test your changes
Once you've added the required rules you can deploy your changes and make sure the bird comes back online. If possible, you can test that the firewall rules are working correctly.