Block rule not firing



  • Hello,

    I have the following issue with my pfSense, hope someone can help me out please  :)

    I am a 'home user' and am running pfSense in a (I guess) simple environment. I have a WAN , 192.168.0.x, connected to the modem, a LAN (192.168.1.x) and a VPN (192.168.3.x) for my smartphone to dial into the network from outside. I have Snort installed and that's pretty much it. I have the latest pfSense version 2.3.4p1.

    Recently I purchased a chinese WLAN surveillance camera for my home, and soon found out that it is communicating with the internet. I thought it would be a very simple task to block that in pfSense. I created a rule which has the parameters

    Action=Block
    Interface=LAN
    Address Family=IPv4
    Protocol=any
    Source=Single host or Alias=192.168.1.9 (address of camera)
    Destination=WAN Net
    Log=Enabled

    It is the topmost rule in my list, but it doesn't fire at all. I have no entry in the system log, while the cam is happily sending its pictures home to china. I can see the states

    LAN udp 192.168.1.9:28985 -> 123.57.136.155:32100 MULTIPLE:MULTIPLE 10 / 10 716 B / 408 B
    WAN udp 192.168.0.2:45934 (192.168.1.9:28985) -> 123.57.136.155:32100 MULTIPLE:MULTIPLE 10 / 10 716 B / 408 B
    LAN udp 192.168.1.9:28985 -> 58.96.170.32:32100 NO_TRAFFIC:SINGLE 1 / 0 76 B / 0 B
    LAN udp 192.168.1.9:28985 -> 54.183.36.158:32100 NO_TRAFFIC:SINGLE 1 / 0 76 B / 0 B

    I have killed the states, after some time they reappear.
    I have created rules blocking the destination addresses, these work and show up in the system log. But each time I add an IP address, the cam uses another one. I stopped after adding 5 addresses. But at least it shows that the rules are activated, basically. Just the one with which i try to block the traffic from the cam itself doesn't do anything.

    I even tried a floating rule with all interfaces, any directions, source=IP of camera, destination = any. Same result.

    Any ideas ?

    Thanks a lot in advance
    Brandy


  • LAYER 8 Netgate

    WAN net is not the internet. It is the subnet of the WAN interface. Any is the internet.

    I would return that camera for a refund but that's just me.



  • Thanks a lot !

    I get your point, problem is that you won't find a lot of IP cams which don't have a 'made in china' label on them, regardless of the brand.

    Brandy


  • LAYER 8 Global Moderator

    Just change the rule to block source (ip of the cameras) and dest ANY.. Below a rule that allows the cameras IP to talk to your other networks if you want/need that.

    Doesn't matter then  what public IP they are trying to talk too.


  • LAYER 8 Netgate

    @Ez2517:

    Thanks a lot !

    I get your point, problem is that you won't find a lot of IP cams which don't have a 'made in china' label on them, regardless of the brand.

    Brandy

    That doesn't mean you have to put them on your network. You have a camera that is, according to you, sending images to China absent your instructions. That, to me, is a non-starter and it goes back.

    Make them honor your privacy (it's an IP camera) or suffer.

    Or at least help convince the retailer to stop selling them. There is only one avenue to that end - your almighty $$.


  • LAYER 8 Global Moderator

    Do you know what its doing exactly.. Maybe its just phoning home for an update?  Have you done a sniff to see what its sending.

    I agree camera's are bad these days for sure!!  Lots of backdoors and exploits, etc.  They really need to be locked down and isolated.  And watched!!!  I log all the traffic my iot devices do and they are locked down to their own vlan..

    But with Derelict here - the vendor should be able to explain exactly what its doing outbound, and why and if they can not.. Then no you should not support them by buying their product.  And you should have the ability to turn off phoning home even if best of intentions.



  • The only Chinese Ip camera I would recommend is Dahua, and I am keeping an eye on it too.


Log in to reply