⚠️ Important: Firewall Rule Detection Changes
This release includes significant improvements to firewall rule analysis. If you notice unexpected audit results after upgrading, please report the issue and consider rolling back to v0.10.7.
What's Changed
Firewall Analysis Improvements
- Detect internet blocking via firewall rules - Firewall rules blocking network→external are now treated as equivalent to
internet_access_enabled=false - External zone detection - Automatically detect External/WAN zone ID from network configs for accurate firewall destination validation
- Fix false positives - IP-based firewall rules no longer incorrectly match network-based rules (now checks CIDR overlap)
- Improved exception grouping - Firewall exceptions now group by type in the UI:
- "External Access Exception" - rules allowing traffic to external/WAN zone
- "Cross-VLAN Access Exception (IoT/Security/etc.)" - rules allowing inter-VLAN traffic
- "Firewall Exception" - other patterns
- Filter management exceptions - UniFi cloud, AFC, NTP, and 5G domain exceptions no longer appear as generic firewall exceptions (covered by dedicated MGMT_MISSING_* rules)
Other Changes
- Add SimpliSafe, TP-Link, and Canary to cloud camera vendor detection
Full Changelog: v0.10.7...v0.10.8