Rules based on real world events
-
I was thinking of a way to tell pfSense that I'm home and enable a rule blocking outgoing traffic from my Nest Cameras. Sure they go off when I'm home, but I'd like to block them at the firewall based on whether my phone is on the home network or not. Is this possible?
-
I'm pretty sure there are no "If, then..." modes for pfsense firewall rules.
Best I can think of for your situation is to open the rules tab and "activate" or "disable" the rules based on when you are home. That might get tedious after a while, however. And, since they are cameras, if you forgot to reactivate when you left the home network, you wouldn't get any outside access to your camera system. That would probably be bad, I'm guessing.
It's a long shot, but you could put the block/allow rule on a schedule, if you're pretty regular for when you're home, or not home.
Jeff
-
yeah thats basically what i have done. I can VPN from my phone to my home network and log on to pfSense.
Next best thing for me would be a widget on the dashboard to turn a rule on or off. Doesn't seem to be one.
Clearing the states table is necessary as well.
-
@seqteq said in Rules based on real world events:
Next best thing for me would be a widget on the dashboard to turn a rule on or off. Doesn't seem to be one.
Create your own then: https://docs.netgate.com/pfsense/en/latest/development/creating-widgets.html
-
@grimson Thanks, I'll do my best!
-
Thinking outside the box here....
You could enable your phone as a gateway in pfSense. It would need to have a static DHCP lease etc.
Then add rules to policy route the camera traffic to that gateway IP.By default the rule will omit the gateway if it's down, when you're not at home. When you are at home any outbound traffic matched will be routed to your phone and hence go nowhere. I'm not certain though if it would reload the ruleset when your 'gateway' became available.
You could also add drop outbound rules so any traffic never actually gets sent to your phone.
Steve
-
That is for sure out of the box thinking @stephenw10 But what if his phone doesn't get on the home wifi for some reason when home.. Maybe he turned off his wifi on his phone to save battery?
If your concerned with sending video to the cloud - if you could be in it.. Wouldn't it be better to just not ever send video to the cloud? And just access your video streams via vpn into your network, etc.
-
Yeah, it would require the phone to become visible on the network. Or something else to detect the phone and make itself visible. But if you have that you could do something with a script that worked cleaner.
-
You could prob getting something working with IFTT for your phone... It's pretty freaking powerful.. Use it for GPS fencing alerts on my phone, etc. etc.
-
@stephenw10 I like that phone as gateway idea, I will try that this week.
About scripting it: how would i Script this though? is there documentation on scripting events in pfSense, then tie that javascript or PHP to a widget include
-
All the documentation is here: https://docs.netgate.com/pfsense/en/latest/ for more you need to go through the pfSense sources: https://github.com/pfsense/pfSense
-
I imagine you would script it via something else. So maybe a RasPi running something that the phone geolocator can push updates to. That then runs a script to ssh into pfSense and enable/disable a firewall rule.
Not something I've ever tried myself.Steve
