Firewall connected media devices- defining aliases for each online service?



  • I was looking for some firewall suggestions for the privacy minded for a network with lots of consumer electronics. It seems like there is never ending series about smart TVs with spyware or security problems. 
    https://blog.avast.com/2015/11/11/the-anatomy-of-an-iot-hack/
    I have a lot of typical CE products on this network including several smart TVs, PS3, appletv, nexus player, Tivo, thermostat, IP cameras, etc which I was planning to separate out as a VLAN from computer network and highly restrict outgoing traffic.

    A content provider has unavoidable knowledge, but am bothered that device spyware or other parties are being informed. I really don't care about traffic from LAN to LAN (and there is a lot with DLNA, Bonjour, Spotify, Microsoft discovery services) so first LAN side rule was:
    Pass any type source=LAN net to destination=LAN net  (not quite sure what is difference between LAN net vs. LAN address)
    My initial thought was define a series of aliases that would be allowed for the streaming services I use and all other traffic blocked.
    Youtube http://asn.blawk.net/15169
    Google  nslookup -q=TXT _netblocks.google.com 8.8.8
    Vudu
    Netflix http://asn.blawk.net/2906
    Amazon Video
    First I saw that alot of these devices phone out for ads/UI updates so there was a huge number of outgoing requests from IP perspective.
    The first problem I noticed is that Amazon/Google is huge IP range, and I don't want to allow phoning out to everyone else operating on their clouds.
    Netflix was coming from huge number of IP address not registered to Netflix including AWS, akami, and my local ISP (assuming ISPs cache).
    Second problem is that many of these devices appear to phone home to establish internet connection is present. If I block all traffic outside of desired services, the device won't even let me launch any connected apps.
    The LG TV determines connection status using 136.166.4.110. Checks for updates from 165.244.150.51 and firmware comes from 208.111.148.7 for me.
    Sony uses 173.230.198.99 and firmware updates from 43.8.140.42. So these devices require a certain number of allowed IP addresses, but I would still like to inspect was is being send out (so perhaps the filter could be further restricted to just verify internet status).
    I started creating many aliases for streaming services and device status/firmware lists. I made the mistake of changing alias type so what I had entered as 66.102.0.0/20 was split into all individual IP addresses. This made me hit some size limitation where I couldn't add more aliases.
    Then it seems like streaming services using CDNs could change IP addresses all the time. Different IP were showing up when streaming the same Netflix program to different devices. It seems important to define a CIDR mask /24 range for each IP address I see to minimize constant tweaking.
    Overall my plan seems like it must be the worst way to try. I come asking for your wisdom. Paranoids out there: How did you setup & maintain your firewall for internet connected media devices?

    My real pain point is the ability to dive further down into outgoing requests from System Logs -> Firewall. Exploring pfSense logs and then going to Wireshark to look at actual payload was really slow process for me. pfSense view shows source and destination IP. I would like to be able to dive into actual outgoing request directly from this firewall block log to see if outgoing traffic looks like "give me ad", my personal information or if it looks related to service I am trying to watch.
    My first attempt was to just log everything going out from device's IP, power on device, poke around in menus, play some stuff, take that consolidated IP access list, paste into allowed firewall alias, and block everything else. accessed. This firewall setup was fast enough but doesn't achieve goal of blocking all spyware services since they seem to fire off frequently enough so any 10 min usage will include traffic unrelated to my usage. 
    I see people using ELK to visual logs which looks quicker to scan, but don't like the requirements of remote server for logging. I would rather just but big HDD in this pfSense box. Is anyone using a local log and visualization tool that allows looking all the way down to payload of blocked outgoing requests (in last 30 min)?


  • LAYER 8 Netgate

    [quote[quote author=greatjuan link=topic=102346.msg570936#msg570936 date=1447388757]
    I was looking for some firewall suggestions for the privacy minded for a network with lots of consumer electronics. It seems like there is never ending series about smart TVs with spyware or security problems. 
    https://blog.avast.com/2015/11/11/the-anatomy-of-an-iot-hack/
    I have a lot of typical CE products on this network including several smart TVs, PS3, appletv, nexus player, Tivo, thermostat, IP cameras, etc which I was planning to separate out as a VLAN from computer network and highly restrict outgoing traffic.

    Your main problem is that if you put all those devices on one subnet and your computers/tablets/phones on another, none of the broadcast/multicast-dependent traffic is going to work (auto-discover, zeroconf, mDNS). Perhaps IGMP proxy can be leveraged to make multicast work across the subnets.

    first LAN side rule was: Pass any type source=LAN net to destination=LAN net  (not quite sure what is difference between LAN net vs. LAN address)

    If your LAN is configured as 192.168.1.1/24

    LAN net = 192.168.1.0/24
    LAN address = 192.168.1.1/32

    And you have a fundamental misunderstanding of IP networking.  Traffic amongst LAN hosts does not involve the firewall at all. It is same-subnet and does not get sent to the router/default gateway by the hosts themselves.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting


Log in to reply