Hello VIctor, and list, some examples might help me … thank’s
jrb > Le 4 nov. 2016 à 19:30, Victor McAllister <victo...@sonic.net> a écrit : > > For now, I am just keeping the rule to DROP traffic from certain loc > devices to the net. I added the word NFLOG(4) to the DROP line and > shorewall compiles ok. > > Victor > > log, On 11/4/2016 1:28 AM, David M Brooke wrote: >> For the new house I’m commissioning I face a similar challenge - various >> automation devices which communicate using TCP/IP but which probably don’t >> have the best security hardening and don’t get regular patch updates from >> the manufacturers to fix security vulnerabilities. Some of these are doing >> sensitive roles like managing access control and interfacing with the >> intruder alarm system. >> >> In line with Dave’s advice I’ve set up multiple VLANs and mapped those to >> separate Shorewall Zones with different sets of Policies and Rules at the >> Zone level. I also have multiple WiFi SSIDs which each map to separate VLANs >> so they can have different policies applied - so e.g. my own WiFi devices >> use 802.1X authentication (against a RADIUS server) on one SSID and are >> allowed to access the local wired networks whereas there’s a separate SSID >> for Visitors, and that’s only allowed to access the Internet and not the >> local wired networks. >> >> The main requirement is a VLAN-capable network switch. I currently use a >> Unifi model from ubnt.com but companies like Netgear make small, >> VLAN-capable switches which are relatively inexpensive. On Bering-uClibc you >> set up a sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a >> Shorewall Zone. >> >> A useful trick for devices which need NTP access and hard-code an FQDN for >> that is to use the “address” entry in dnsmasq.conf to tell a white lie and >> return a local NTP server address for that FQDN in place of a remote NTP >> server address. For example: >> address=/time.euro.apple.com/192.168.112.1 >> >> davidMbrooke >> >>> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote: >>> >>> I would add logging so that you would know if anything was amiss. >>> >>> To test you could temporarily install a PC at the blocked address and see >>> what happens. >>> >>> For more complete control as IoT devices proliferate I would add a separate >>> zone and set up a VLAN for home automation etc. >>> >>> -----Original Message----- >>> From: Victor McAllister [mailto:victo...@sonic.net] >>> Sent: Thursday, November 03, 2016 11:53 AM >>> To: Bering List >>> Subject: [leaf-user] prevent Iot from the net >>> >>> I have a couple devices, such as a DVR, on the local net (loc) that I do >>> not want to have access to the Internet. Remember the recent DDOS attacks >>> that originated with Iot devices! I added this to shorewall rules. >>> >>> DROP loc:192.168.1.x,192.168.1.y net all >>> >>> They get their time from the local time server so they have no reason to >>> access the net. >>> >>> I have not tested this, but at least shorewall compiles and runs. Any >>> comments. >>> >>> Victor >>> > > ------------------------------------------------------------------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
