Lists

Internet / Filters / Lists

On this page you can create and edit the lists needed in order to use internet filters and prioritization rules.

Click on the "Apply" button to save your settings. If you leave the page without saving, all of your changes will be discarded.

Filter Lists

In the FRITZ!Box you can set up filter lists according to your own needs. You can create an list of permitted websites and a list of blocked websites, which you can configure to allow or block access to web contents. Both lists are empty in the FRITZ!Box factory settings.

The lists are enabled in the access profiles for parental controls. Either the blocklist or the allowlist is activated in an access profile. A filter list is applied to all network devices that use an access profile in which the filter list is enabled.

Permitted websites (whitelist)

Enter on the allowlist the web pages to which access it to be permitted.
An allowlist makes sense when only a few websites are supposed to be allowed, but access to most websites is to be blocked.
Network devices that use an access profile with an allowlist enabled can only open the websites that have been entered in the allowlist. All other websites are blocked.
A whitelist without any entries has no effect. A whitelist with no entries does not mean that no websites can be accessed. In order to block a device's access to the entire internet, use the device block in the "Internet / Filters / Parental Controls" area.
You can enter a maximum of 500 web addresses in the allowlist.

Click on "Edit" to open and edit the whitelist.

Blocked Web Sites (Blocklist)

Enter in the blocklist the websites to be blocked.
A blocklist makes sense when access to most websites is to be allowed, and only a few websites are to be blocked.
Network devices that use an access profile with a blocklist enabled can not open the websites that have been entered in the blocklist. All other websites can be opened.
You can enter a maximum of 500 web addresses in the blocklist.
Network devices that use an access profile with a blocklist enabled can no longer open websites directly via their IP address. This can lead to problems when there are applications on a network device that work with IP addresses rather than DNS names. It can happen that these applications no longer work reliably, for instance because no more updates are installed. For such cases there is the "Permitted IP addresses" list, in which you can except certain IP addresses from the filter.

Click on "Edit" to open and edit the blacklist.

Permitted IP Addresses

When a blacklist is enabled in an access profile, the FRITZ!Box registers whenever websites are opened directly via their IP addresses, and enters these IP addresses in the "Permitted IP addresses" list. The FRITZ!Box enters the IP addresses in the list, but does not release them. If you would like to release IP addresses so that they can be opened directly, you must release the IP addresses in the list individually.

Network Applications

The "Network Applications" list contains the network applications that are available for creating prioritization rules and for setting up child protection. To create a prioritization rule, select from the list the network application whose use you would like to regulate. To set up parental controls, select from the list the network applications you would like to block.

Click on the "Add Network Application" button to add other network applications to the list.
Use the button for editing an entry to change the protocol and the ports used by application.
Use the button for deleting an entry to remove network applications from the list.

The network applications preset in the list, "Internet telephony" and "Surfing", can be neither edited nor deleted.

Global Filter Settings

Firewall in stealth mode

Enable this setting if you want to make it more difficult to identify your FRITZ!Box through port scans.

When the firewall of the FRITZ!Box is in stealth mode, the FRITZ!Box operates as follows:

All queries from the internet to ports that have not been opened for sharing are discarded without response (DROP)
The FRITZ!Box continues to respond to PINGS (ICMP echo requests)
The FRITZ!Box continues to respond to ident queries to port 113 with "TCP closed"

Stealth mode makes it more difficult for attackers to collect information about the system.

Email filter via port 25 enabled

This filter prevents email from being sent via the unsecured port 25.

When the filter is enabled, no unsecured email can be sent via the FRITZ!Box's internet connection. Unsecured email can be generated and sent, for instance, by malware on devices in your home network.

Use only secure email programs and servers if you would like to enable this filter.

The normal sending of email via the website of an email provider or an email program is not blocked by the filter, since email providers do not allow email to be sent without user authentication, and use methods like SMTP-Auth or SMTPS to ensure that their mail servers can only be used by authorized users.

NetBIOS filter enabled

For security reasons, the NetBIOS filter in the FRITZ!Box is on by default. It blocks NetBIOS packets, which are usually not required for communication in the internet. Disable this filter only if you are using applications that have to exchange NetBIOS packets with the internet. This is the case, for instance, for SMB access to the Strato HiDrive.

Teredo filter enabled

The Teredo filter blocks Teredo packets. The "Teredo filter enabled" settings is enabled by default.

Teredo is a tunnel protocol that uses UDP to tunnel IPv6 packets over IPv4.

With Teredo individual devices in the home network can establish their own IPv6 connections. IPv6 connections with Teredo are not usually necessary if the FRITZ!Box provides a native IPv6 connection for the home network. The FRITZ!Box's native IPv6 connections are protected by the IPv6 firewall of the FRITZ!Box. An IPv6 connection with Teredo is not protected by the FRITZ!Box IPv6 firewall.

Filter Setting	Meaning
	When this setting is enabled, Teredo packets are blocked by the FRITZ!Box's packet filter. Devices in the home network cannot use Teredo to establish IPv6 tunnels.
	When this setting is disabled, Teredo packets are allowed to pass through the FRITZ!Box's packet filter. With Teredo devices in the home network can establish their own IPv6 connections. Note the following if the FRITZ!Box provides a native IPv6 connection: An IPv6 connection with Teredo is not protected by the FRITZ!Box IPv6 firewall. Disable this filter only if a device in the home network absolutely requires Teredo and you are willing to accept the risk that the Teredo connection is not protected by the IPv6 firewall of the FRITZ!Box.

Filter Setting

Meaning

When this setting is enabled, Teredo packets are blocked by the FRITZ!Box's packet filter. Devices in the home network cannot use Teredo to establish IPv6 tunnels.

When this setting is disabled, Teredo packets are allowed to pass through the FRITZ!Box's packet filter. With Teredo devices in the home network can establish their own IPv6 connections.

Note the following if the FRITZ!Box provides a native IPv6 connection:

An IPv6 connection with Teredo is not protected by the FRITZ!Box IPv6 firewall.

Disable this filter only if a device in the home network absolutely requires Teredo and you are willing to accept the risk that the Teredo connection is not protected by the IPv6 firewall of the FRITZ!Box.

WPAD filter enabled

This filter blocks WPAD (Web Proxy Auto-Discovery Protocol).

WPAD runs in Windows operating systems. With WPAD, Windows computers in the home network automatically detect whether a proxy server is available and should be used. WPAD allows a proxy server to be used without it having to be configured manually on every Windows computer.

Disable this filter only if you deploy a WPAD server in the home network.

FRITZ!Box 7490 Help