Send post/get on firewall rule match?



  • is it possible to somehow implement not only a logging action when a firewall rule applies but to start a script or issue a http request?
    currently i am watching network traffic using scapy with python and when the amazon dash button is pressed and tries to contact amazon the script issues a http request to a api.

    as this scapy script is consuming extremely much ressources and as i anyway block the dash button to reach the internet i think about implementing the api call via pfsense.

    of course i could monitor the firewall log with a shell script but this is only my 2nd choice.

    thx



  • afaik you could use an ids like snort or suricata. they can monitor/filter traffic for post/get.

    do the dash buttons get to the api via url or ip?
    if its via url, then you could redirect the dns to localhost.
    if its via ip, then you could block the ip completely.

    but since i guess the dash buttons have a normal ip in the lan, why not block their internet access completely by a firewall rule?



  • thanks. a ids would be the solution "shell script that monitors the logs". i would really love to have the action triggered by the process which logs or which triggers the log.

    the dash buttons are completely blocked. the buttons just reach out to amazon. the api call has to be made by a script. the script action is triggered by the dash - requests on the lan. see
    https://community.smartthings.com/t/hack-the-amazon-dash-button-to-control-a-smartthings-switch/20427



  • i have done the following and it works:

    NAT - Port Forward:

    Interface: the interface the dash buttons are on (wifi-net)
    Protocoll: Tcp
    Source Adress: The IP of the Dash button
    Souce Ports: *
    Destination Adress: *
    Destination Ports: 443 (as the dash buttons try to establish a ssl-connection to amazon when pressed)
    Nat IP: The IP of the Computer on the Net which shall receive the info that the dash buttons try to connect to the internet aka have been pressed
    NAT Ports: 4321 (anyone does, no portrange needed, as the buttons only try to connect to :443)
    Corresponding Firewall Rule: Pass

    On the Nat IP-machine I can receive the connection requests using scapy in python:

    from scapy.all import *
    p = sniff(filter="tcp and port 4321", store=0)
    print p[IP].src

    Every Button Press generates 5 requests.

    Problem : Scapy uses a lot of ressources, will take ~30% CPU on a Raspy B.

    Problem2: I didnt manage to use socket  module, as the buttons dont really connect, they just send ssl-syn and receive some multiple acks from the nat-ip.

    Here's what Wireshark shows (running on the Nat-IP machine; *.127 is the dash button, *.125 is the Nat-IP client machine):
    https://ibb.co/hwwi55