Skip to main content

Search

How do I configure a Canary Firewall

Learn how to enable and configure Canary Firewall to drop unwanted traffic directly on your device, helping reduce noise and block spam while maintaining Console connectivity.

Canary Firewall lets you drop connection attempts to your device based on the rules you specify.

This works like ignore-listing, but the rules sit on the device instead of on the Console, meaning that your bird can drop all traffic before sending it to the Console (this may be useful if your bird is getting spammed from a specific IP or on a specific Port).

Note

You can force your bird offline if you push rules that block communication with the Console (i.e dropping traffic from your DNS server).

Step 1: Understand the dangers

There are inherent dangers in adding rules to your device's firewall. If you add a rule that blocks traffic to your DNS server (for example), then your device won't be able to communicate with the Console. This will push the bird offline and will require manually reconfiguring the bird to bring it back.

Step 2: Contact support to enable Canary Firewall

If you understand the dangers and still want to proceed, you can send a support request to support, asking for the feature to be enabled.

Step 3: Navigate to device configuration

To create your custom services, you will need to navigate to the remote settings for your device.

This can be done by:

  1. Logging into your Console
  2. Click on the Canary you want to set up a firewall for.
  3. Clicking Configure Canary to open device configurations.

Step 4: Enable Canary Firewall

Once on the configuration page, scroll to Canary Firewall and enable it.

Screenshot 2025-10-09 at 11.15.47.png

Step 5: Add rules

You can add multiple rules depending on your needs.

Let's run through some examples:

1. If you want to drop all traffic from an IP (eg, 192.168.1.200), then you would add the IP to the Source IP field and leave the Port empty.

Screenshot 2025-10-09 at 11.12.18.png

2. If you want to drop all traffic to a specific port (eg, 123) on the Canary, you would add the port to the Port field and leave the Source IP empty.

Screenshot 2025-10-09 at 11.15.12.png

3. If you want to block traffic from a specific IP (eg, 192.168.1.201) on a specific port (eg, 1234), you would specify both fields.

Screenshot 2025-10-09 at 11.13.47.png

Step 6: Deploy and test your changes

Once you've added the required rules, you can deploy your changes and make sure the bird comes back online.

If possible, you can test that the firewall rules are working correctly.

Was this article helpful?
1 out of 2 found this helpful
Return to top