Host Overrides and Firewall rules?

johnpoz

@woggy said in Host Overrides and Firewall rules?:

I have firewall rules blocking access to my Camera VLAN but the Host Overrides makes them accessible anyways. I can't just block DNS because I need it for pfBlockerNG etc.

huh? That makes no sense - you can resolve some fqdn to whatever IP you want, if that traffic flows through pfsense you could block the actual traffic to the camera..

What are you trying to block getting to your cameras exactly - from the internet, another vlan? Where is the client your trying to block from getting to the camera(s) where are the cameras?

woggy

@johnpoz
I have many VLAN:s, but one example is:
Main VLAN 192.168.10.0/24
Camera VLAN 192.168.70.0/24

Firewall rules on Main VLAN is blocking access to Camera VLAN and its working when I use http://192.168.70.9/ but not when I use https://livingroom_ipcam.woggy.se/

I have a Host Override that's pointing livingroom_ipcam.woggy.se to 192.168.10.1 because I have a HAProxy listening there on pfsense handing out Let’s Encrypt certificates.

Somehow the host override or HAProxy is overriding the firewall rules.

johnpoz

Well your HA proxy is "proxy" so its going to the camera for the client.

You allow traffic to the proxy.. Not sure why you would have your proxy listening on the lan side interface?

So your concerned with some local client talking to your cameras? From your main network?

woggy

@johnpoz
Yeah, I just followed a guide on youtube on how to setup Let’s Encrypt certs on pfsense without thinking =)

I guess that I have to create virtual IP:s and have many HAProxy instances running on different IP:s and blocking them to?

woggy

@johnpoz said in Host Overrides and Firewall rules?:

So your concerned with some local client talking to your cameras? From your main network?

Maybe not concerned but I don't trust IoT stuff, especially not cameras that we have inside our house. So they have their on VLAN with no internet access and are only allowed to talk to the camera server.

Creating virtual IP:s for HAProxy seems to work good now!

johnpoz

@woggy said in Host Overrides and Firewall rules?:

no internet access and are only allowed to talk to the camera server.

Ok that seem sane... I put my iot stuff on their on vlan too... But what does that have to do with your client creating the connection to them?

woggy

@johnpoz
If I get a compromised device on my LAN I don't want it to be able to connect to my cameras. Or maybe I didn't understand your question?

johnpoz

@woggy huh... Normally you would be worried about the other direction. Ie your camera's becoming compromised, and them creating connections to your other network stuff.

Which is why you isolate them on their own vlan..

But you kind of want to view your camera's from your devices right? So why would you prevent your devices from talking to them?

If you only want to be able to talk to the server, then only allow that - but if that is the case why do you have a proxy doing proxy stuff to the cameras in the first place??

woggy

@johnpoz
The cameras don't have internet, so I'm not worried that they will be compromised. I'm more worried about a compromised device on my LAN hacking the cameras and watching and listen. Probably unlikely but anyway.

The proxy stuff is for Let’s Encrypt certificates, livingroom_ipcam.woggy.se is easier than http://192.168.70.9/ to remember when you have 10+ cameras. But you are right, it's probably stupid and I mostly did it because I want to learn more about networking =)

johnpoz

@woggy Makes no sense to have a proxy doing your ssl offload if you have zero want to even talk to them..

Just talk to your server, setup a ssl offload for it, etc.

I have zero understanding of why you would setup proxy to allow clients to talk to your cameras - if your goal is to not let your lan talk to your cameras..