Firewall for Smart TV?



  • I have the following setup:

    Cable Modem <-> pfsense (v. 2.4) <-> home network (4-port LAN switch)

    homenetwork consists of:

    • computer(s)
    • mobile phone(s)
    • Smart(ish) TV

    Usage (typical):
    Netflix, Youtube, Amazon, Youtube control via mobile phone and searching for SW updates from manufacturer.

    I would like to limit the TVs connections to prevent (too much) data leakage, i.e. limit the amount of spying that my TV can do.

    Can I do this via my pfsense box? And if so how - is this best done using the pfsense's Firewall to the SmartTV's IP?


  • Rebel Alliance Global Moderator

    Set your tv so it always get the same IP via dhcp reservation in pfsense.  Then yes you can limit what it can do on the internet with simple firewall rules.



  • Thanks - yes I've given it a fixed IP. Ok, if it is via the FW then I'll need to do the following:

    1. Figure out which ports & IP addresses to allow (Youtube, Netflix etc)

    Any suggestions how to go about this? With a computer I can have a SW firewall prompt me to set rules as the application attempts to make connection, but in the case of pfsense & the Smart TV I've not figured out an efficient way of doing it.

    2. Implement rules in the pfsense FW (anyone have a good link to a guide for pf2.4?)


  • Rebel Alliance Global Moderator

    You do understand that youtube and netflix are served up from huge CDNs right - the address space is going to be quite large and changing..

    You could create aliases and use those..  But those can cause issues as well.

    Why don't you set a rule to log all the traffic the smart tv does, then using this log see where its going an determine if you want to allow that or block it, etc.



  • The easiest thing is to LIMIT TV IP to a fixed download bandwidth but not as friendly and sophisticated as traffic shaper, the last of which requires more understanding and configuration on your part.



  • @SammyWoo:

    The easiest thing is to LIMIT TV IP to a fixed download bandwidth but not as friendly and sophisticated as traffic shaper, the last of which requires more understanding and configuration on your part.

    I fail to see why limiting connection bandwidth provides any protection. Could you enlighten me?



  • what protection are you looking for?  just that the TV doesn't suck up too much data?



  • No, perhaps my wording was unclear.

    I want to prevent 'data leakage', by which I mean I don't want my TV spying on me too much (obviously Google sees my use of Youtube etc) - I want to avoid manufacturer from getting all my info…

    The first responder understood my question, hence I didn't understand the replies w.r.t. bandwidth limiting



  • @johnpoz:

    You do understand that youtube and netflix are served up from huge CDNs right - the address space is going to be quite large and changing..

    You could create aliases and use those..  But those can cause issues as well.

    Why don't you set a rule to log all the traffic the smart tv does, then using this log see where its going an determine if you want to allow that or block it, etc.

    Right, I've now learned a bit more about FW setup on PFSENSE… (thanks youtube!)

    I've added a bunch of IP ranges to FW alias 'GOOGLE' (includes various amazon servers as well)
    TV is on alias 'TV'
    Then FW->LAN->Rules, where the last one is the general blocking rule:

    Source Dest Proto
    allow: IPv4 TCP/UDP GOOGLE * TV 443 (HTTPS) *
    allow: IPv4 TCP/UDP TV * GOOGLE 443 (HTTPS) *
    allow: IPv4 TCP/UDP GOOGLE * TV 80 (HTTP) *
    allow: IPv4 TCP/UDP TV * GOOGLE 80 (HTTP) *
    allow: IPv4 TCP/UDP TV * LAN net 53 (DNS) *  
    allow: IPv4 TCP/UDP TV * 8.8.8.8 53 (DNS) *
    block: IPv4 * TV * * * * none

    Is this the right way to do it?
    My Alias list is already 20+ subnets to Amazon, Google, Netflix etc - pretty unwieldy :-s... is there a better way with modern CDNs?


  • Rebel Alliance Global Moderator

    Please post up a screen shot of your rules..  ascii art can be easy to misread..

    Also you do understand that all interfaces have default block so unless your looking to not log or log or etc.. with block rule on the bottom is kind of pointless.

    Why would you have source of google listed?  How wold google be a source traffic entering your lan interface??



  • Also you do understand that all interfaces have default block so unless your looking to not log or log or etc.. with block rule on the bottom is kind of pointless.

    But I want to allow all traffic to my laptop etc…

    Why would you have source of google listed?  How wold google be a source traffic entering your lan interface??
    Because I don't understand source versus destination:) I thought the source is where the packets are coming from, but is there a clearer explanation?




  • If those are rules for your LAN net then how would you expect any traffic FROM Content entering there?

    You may need to figure out which rules apply where before creating all of them…

    On the LAN net tab you only have rules for traffic which enters into the LAN interface, e.g. from all devices on that interface.
    You can not define (block or allow) traffic from WAN to your LAN net there! That would be done on the WAN tab. Only there.

    Before you spent too much time watching YT videos from guys with not too much a clue may I suggest reading some of the documentation here: https://doc.pfsense.org/index.php/Main_Page
    I'm pretty sure there's not much nonsense there.



  • @jahonix:

    If those are rules for your LAN net then how would you expect any traffic FROM Content entering there?

    You may need to figure out which rules apply where before creating all of them…

    On the LAN net tab you only have rules for traffic which enters into the LAN interface, e.g. from all devices on that interface.
    You can not define (block or allow) traffic from WAN to your LAN net there! That would be done on the WAN tab. Only there.

    Before you spent too much time watching YT videos from guys with not too much a clue may I suggest reading some of the documentation here: https://doc.pfsense.org/index.php/Main_Page
    I'm pretty sure there's not much nonsense there.

    Thanks - I had already read:
    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting#Interface_Selection

    But it didn't help me very much unfortunately (missing any examples).

    I obviously have a fundamental misunderstanding of firewall setups, but unfortunately I don't have much time to delve deeply into the subject learn everything from step one (and make all the mistakes associated with self-learning) - having already used quite a bit of time setting up open VPN, pfsense itself etc. Learning another profession (network administration) is just not possible in the near future :/, so after reading what I could on the internet I had hoped to get a few sentences of help on the forum for my specific use case.

    These rules (screenshot) do seem to work when on the LAN interface. I figured that the TV opens a UDP/TCP connection, to say, Amazon at 99.88.1.1, receiving packets from there, so I should allow those… So I would be grateful if someone could guide me as to: 'how can I do what I want to do?' and perhaps a sentence or two of explanation saying (e.g.) on the WAN interface you want to block packets 'such and such' and then create a corresponding rules on the LAN interface for 'this and that'



  • @lonsense:


    I would like to limit the TVs connections to prevent (too much) data leakage, i.e. limit the amount of spying that my TV can do.
    ...

    I would start making a list will all outgoing connections the TV makes when you put in on.
    Some wire-shark and company.
    outgoing connections, so these are easy to filter on the LAN interface using firewall rules.

    Remember, when you use your TV to watch Netflix, Netflix will know what type of TV you are using, it serial number and the lot.
    So, your TV manufactory will know what you do, in the end.
    Google and Youtube - yes, they do earn money, lots of mony, so they do "something" when we connect a device to their services. Guess who pays them  ;)

    Take a non-connected satellite receiver - or use the old antenna on the roof - shut down the TV's NIC and you'll be fine without troubles, issues, and a guaranteed result.

    @lonsense:

    Learning another profession (network administration) is just not possible in the near future

    Not a profession, just a hobby.
    But the subject is huge. So, analyzing the "spying  TV" isn't neither something for you in the same time span ?

    edit : out-smarting the smart TV, now I think about it … have one @home. Never looked at it this way.


  • Rebel Alliance Global Moderator

    "receiving packets from there, so I should allow those."

    Back in the days before stateful firewalls - ok that logic makes sense.. But if the case your rules to allow the return traffic in would need to be on the interface where the traffic actually enters the firewall.  Ie the wan..

    But since its not early 1990's any longer…



  • @lonsense:

    I obviously have a fundamental misunderstanding of firewall setups, but unfortunately I don't have much time to delve deeply into the subject

    Basically, what lonsense says is: I don't have the time needed to do all the reading, testing and learning so I need the volunteers on this forum to do my homework for me.
    What an attitude…

    You will not be able to successfully configure pfSense to your needs if you don't understand the basics.
    Read about "Stateful Packet Inspection" whenever your time permits. Start here  https://en.wikipedia.org/wiki/Stateful_firewall
    Review your LAN rules and change accordingly.
    Post back if something's not working.


  • Rebel Alliance Global Moderator

    hehehe.. Well said jahonix ;)