[kwlug-disc] Deny Internet access for some LAN devices

B.S. bs27975.2 at gmail.com
Fri Apr 14 14:04:41 EDT 2017


Looks to be 
https://play.google.com/store/apps/details?id=com.marichitas.upnp.discover

On 04/14/2017 02:05 AM, Bob Jonkman wrote:
> B.S. wrote:
>> In one case I had to find a UPnP discoverer app for my Android to
> find a camera
>
> What Android app did you use?
>
> On 2017-04-13 04:57 PM, B. S. wrote:
>> Right, but that assumes his home router has that ability. (He did
>> note it at least has the basic ability to deny an ip, and has done
>> so.)
>>
>> The comment about turning off UPnP is prudent, mirroring my same on
>> the device itself. Which could in turn be mirrored by anything
>> else aggregating UPnP within the place. Seems that many devices
>> come by default exposing, and aggregating, UPnP by default.
>> Including Linux. Not all of which by default turn on a firewall or
>> iptables.
>>
>> In one case I had to find a UPnP discoverer app for my Android to
>> find a camera - upon running it I was startled to discover how many
>> other things were advertising. Unexpectedly, and inadvertently.
>>
>>> Right, but that assumes the home router has that ability.
>>
>> Thus my comment about making his Pi (the camera) gateway. It will
>> have such ability. Aside from specifically controlling forwarding
>> (e.g. via vpn, and internal devices then look for the cameras via
>> internal routes to the PI), simple iptables drops to 0.0.0.0 become
>> possible.
>>
>> OpenWRT et al would bring similar functionality to the table.
>>
>> It is arguable everyone should be running with pfSense et al in
>> front of everything, explicitly controlling their traffic. IoT
>> firmware bugs (e.g. cameras) have demonstrated one's internal
>> network probably isn't as opaque as one thinks.
>>
>> Doesn't protect against running a browser as root, though! Nor
>> anything else inviting stuff in that phone's home / attacks from
>> inside.
>>
>> Which likely examine the local machine's routes, probably leading
>> to camera discovery and access.
>>
>>
>> On 04/13/2017 04:11 PM, John Van Ostrand wrote:
>>> How about traffic shaping. Matching packets with tc and then
>>> filter. I've not done it but it seems it might work.
>>>
>>> http://www.docum.org/faq/cache/62.html
>>>
>>> On Wed, Apr 12, 2017 at 6:01 PM, B. S. <bs27975 at gmail.com>
>>> wrote:
>>>
>>>> Doesn't need to be a VLAN, which would require the router to
>>>> understand VLAN. Just static addresses (nets) on the camera,
>>>> and a secondary eth on points you care about / would access
>>>> with. e.g. On the PI, where the VPN address and internal net
>>>> can forward to that interface and vice versa, and forwards from
>>>> that net to 0.0.0.0 denied. Gateway on the cameras would be the
>>>> PI.
>>>>
>>>> For VLAN, the cameras, or the switch(es) they're connected to,
>>>> would have to be VLAN capable and probably aren't. The PI could
>>>> be made to be, but by itself that doesn't buy you anything that
>>>> isn't already present above.
>>>>
>>>> Have to be static on the cameras, else a physically separate
>>>> network or DHCP is going to cause network confusion. Or
>>>> specially crafted DHCP settings - which would only bring
>>>> complication for little gain.
>>>>
>>>> You'll want to turn off PnP, et al, on the cameras, and UPnP et
>>>> al inside the house, so nothing can inadvertently discover the
>>>> presence of the cameras.
>>>>
>>>>
>>>> On 04/12/2017 08:57 AM, Raymond Chen wrote:
>>>>
>>>>> I love the subnet idea. I'll check if it has the VLAN
>>>>> support. Thank you.
>>>>>
>>>>> @Paul, no it doesn't have parent control. :)
>>>>>
>>>>> On Tue, Apr 11, 2017 at 11:52 PM, Paul Nijjar via kwlug-disc
>>>>> < kwlug-disc at kwlug.org> wrote:
>>>>>
>>>>>
>>>>>> Are there parental control features on the router? You
>>>>>> could say that the cameras have an early bedtime and are
>>>>>> not allowed to access the Internet after those hours.
>>>>>>
>>>>>> On Tue, Apr 11, 2017 at 06:08:40PM -0400, Raymond Chen
>>>>>> wrote:
>>>>>>
>>>>>>> I have some cameras in my house. I'm trying to disable
>>>>>>> their access to Internet. Since I have a VPN service on
>>>>>>> my Raspberry Pi, if I want to connect to those cameras, I
>>>>>>> can connect to the VPN first.
>>>>>>>
>>>>>>> One way I can think of is setting their gateway IP
>>>>>>> address to empty. But
>>>>>> if there is a malware on the camera, that doesn't help so
>>>>>> much, right?
>>>>>>>
>>>>>>> I'm sure those DD-WRT routers can do that, just create a
>>>>>>> policy based on the MAC... But unfortunately my route is
>>>>>>> D-Link N600. It has some basic firewall, filter features,
>>>>>>> but most of them are protecting agains outside access.
>>>>>>> Any idea?




More information about the kwlug-disc mailing list