Country blocking to stop devices calling home



  • Hi
    This is my first post but would like to say what a fantastic product pfsense is.

    With regards pfblockerNG, I have read a lot of posts describing why you dont need to block the world and only allow certain countries due to the fact that there is a explicit deny on the inbound WAN connection - excepting any configured open ports.

    My question revolves around IoT devices like security cameras and Smart TVs that 'call home' on a regular basis. The other worry for me is APPs downloaded from Google Playstore that have the ability to open ports outbound to a unknown destination.

    Using Pfsense I found a camera app on my phone that was calling home to mail.ru. This is a worry. Also, my Swan security cameras (hikvision) regularly try to connect to china but are blocked by the country blocker.
    I understand that DNSBL stops large amounts of this traffic so if I use DNSBL with regularly updated feeds should i deselect these Countries and let DNSBL stop the traffic?





  • An IDS/IPS is pretty heavy for just doing that.  Also, you don't want your cameras etc publicly visible.  I would block ALL Internet access for these devices and then connect to them via OpenVPN.



  • @KOM:

    An IDS/IPS is pretty heavy for just doing that.  Also, you don't want your cameras etc publicly visible.  I would block ALL Internet access for these devices and then connect to them via OpenVPN.

    I would like to block internet access to these devices but we have a few Ring pro cameras that will not work without internet connectivity. At present I have these IoT devices on a seperate VLAN from my internal network. Also, we have several smart TV's which require network connections for TV apps like Netflix etc. Even when these TV's are in standby mode they make external connections (to Pelmorex for instance).
    I dont know how to stop it except do as you say and block all internet to these devices which would not be acceptable at the moment.
    Any ideas greatly received



  • but we have a few Ring pro cameras that will not work without internet connectivity.

    That would tell me that these are crap and to return them for cameras that don't need to send your stuff to China.

    Any ideas greatly received

    Your only real option is to block all and then start whitelisting, and that gets to be a pain real fast.  For example, Netflix uses a lot of CDNs to deliver content and the IP addresses can change all the time.

    The other option is to block all for the devices, and then profile each device to see what it talks to when it's not doing much or anything.  Through trial and error, you can discover which hosts it talks to and then specifically block those while allowing all other access such as Netflix.  Of course, this may block firmware updates for the devices, and any successfully-applied updates may change the phone-home hosts the device tries to talk to.



  • Forget about smart-TV's ability to play Netflix and such. They'll be outdated within a year or two anyways. No manufacturer is interested in supporting them longer than need be. They want to sell new ones. Watch TV via their tuners and use them as monitor for set-top boxes and devices like Apple TV, Fire TV, Roku, …

    Deny cameras all outbound access. Dump them if they fail to work without calling home - they will have more serious design flaws than that.

    Apps on your mobile can be tamed best when only allowing them http(s) and mail ports outbound. Block the rest and see what happens.



  • @jahonix:

    Forget about smart-TV's ability to play Netflix and such. They'll be outdated within a year or two anyways. No manufacturer is interested in supporting them longer than need be. They want to sell new ones. Watch TV via their tuners and use them as monitor for set-top boxes and devices like Apple TV, Fire TV, Roku, …

    Deny cameras all outbound access. Dump them if they fail to work without calling home - they will have more serious design flaws than that.

    Apps on your mobile can be tamed best when only allowing them http(s) and mail ports outbound. Block the rest and see what happens.

    Chris - thanks for this great info

    I have disconnected the Tvs as advised.

    The cameras are more difficult. We have cloud based cameras by Ring that upload/store all footage to cloud based storage. These are on an independent VLAN
    The Swann - (Hikivision) security cameras have been disconnected from the network and are used as a local store/record now. We have done away with the remote access app (swanview)

    Mobiles are the hardest to deal with unfortunately - but maybe using mobile firewalls like netguard may do the trick.

    Finally, devices like google Home, Smart lightbulbs (who thinks of these things) Home automation will make this security issue all the more difficult.

    thanks to all for their advice.
    Stu



  • @hahnice:

    Hi
    This is my first post but would like to say what a fantastic product pfsense is.

    With regards pfblockerNG, I have read a lot of posts describing why you dont need to block the world and only allow certain countries due to the fact that there is a explicit deny on the inbound WAN connection - excepting any configured open ports.

    My question revolves around IoT devices like security cameras and Smart TVs that 'call home' on a regular basis. The other worry for me is APPs downloaded from Google Playstore that have the ability to open ports outbound to a unknown destination.

    Using Pfsense I found a camera app on my phone that was calling home to mail.ru. This is a worry. Also, my Swan security cameras (hikvision) regularly try to connect to china but are blocked by the country blocker.
    I understand that DNSBL stops large amounts of this traffic so if I use DNSBL with regularly updated feeds should i deselect these Countries and let DNSBL stop the traffic?

    pfBlockerNG is a great tool if you want to block geographic areas from accessing a viable service since the default WAN block rule wouldn't apply to a port forward.  For example, if you have a Terminal or RDS server with a port forwarded for remote access then the service is out there and available for people to connect to and it needs to be secured.  In this case you can throw RDPGuard on the server (an inexpensive and great product btw) to protect and lock out IPs with failed logon attempts but it would be a better use of resources to just block the packets altogether at the firewall.  That's what pfBlocker would do.  Same thing with an FTP server or a web server.  Once the rule is in place (unless you specify the source IP) pfBlocker becomes useful.  If a needed IP is blocked it can always be whitelisted.