For now, I am just keeping the rule to DROP traffic from certain loc devices to the net. I added the word NFLOG(4) to the DROP line and shorewall compiles ok.
Victor log, On 11/4/2016 1:28 AM, David M Brooke wrote: > For the new house I’m commissioning I face a similar challenge - various > automation devices which communicate using TCP/IP but which probably don’t > have the best security hardening and don’t get regular patch updates from the > manufacturers to fix security vulnerabilities. Some of these are doing > sensitive roles like managing access control and interfacing with the > intruder alarm system. > > In line with Dave’s advice I’ve set up multiple VLANs and mapped those to > separate Shorewall Zones with different sets of Policies and Rules at the > Zone level. I also have multiple WiFi SSIDs which each map to separate VLANs > so they can have different policies applied - so e.g. my own WiFi devices use > 802.1X authentication (against a RADIUS server) on one SSID and are allowed > to access the local wired networks whereas there’s a separate SSID for > Visitors, and that’s only allowed to access the Internet and not the local > wired networks. > > The main requirement is a VLAN-capable network switch. I currently use a > Unifi model from ubnt.com but companies like Netgear make small, VLAN-capable > switches which are relatively inexpensive. On Bering-uClibc you set up a > sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a Shorewall Zone. > > A useful trick for devices which need NTP access and hard-code an FQDN for > that is to use the “address” entry in dnsmasq.conf to tell a white lie and > return a local NTP server address for that FQDN in place of a remote NTP > server address. For example: > address=/time.euro.apple.com/192.168.112.1 > > davidMbrooke > >> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote: >> >> I would add logging so that you would know if anything was amiss. >> >> To test you could temporarily install a PC at the blocked address and see >> what happens. >> >> For more complete control as IoT devices proliferate I would add a separate >> zone and set up a VLAN for home automation etc. >> >> -----Original Message----- >> From: Victor McAllister [mailto:victo...@sonic.net] >> Sent: Thursday, November 03, 2016 11:53 AM >> To: Bering List >> Subject: [leaf-user] prevent Iot from the net >> >> I have a couple devices, such as a DVR, on the local net (loc) that I do not >> want to have access to the Internet. Remember the recent DDOS attacks that >> originated with Iot devices! I added this to shorewall rules. >> >> DROP loc:192.168.1.x,192.168.1.y net all >> >> They get their time from the local time server so they have no reason to >> access the net. >> >> I have not tested this, but at least shorewall compiles and runs. Any >> comments. >> >> Victor >> ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
