Blocking a single device from the Internet - take 2
by taylorkh from LinuxQuestions.org on (#4WRW0)
I hate when an Internet search for an answer brings me to a post I made asking the same question :( I bashed this topic around almost 2 years back without a real resolution.
My trusty old laser printer died Monday and I have a new one due tomorrow. The Amazon listing (I did NOT purchase it there) talked of a "Dash Replenishment" feature where the printer would automatically order toner when it was low or something like that. This makes me thing the printer may "phone home" which I consider unacceptable from a security standpoint. I am therefor again looking into blocking a single IP address on my LAN (the printer) from accessing the Internet.
I have a Raspberry Pi runnning Ubuntu Mate 18.04 setup as a gateway, router, firewall, DHCP and VPN sharing box for my LAN. I removed ufw and gufw and replaced them with firewalld and firewall-config which I am familiar with in CentOS. I setup a test environment identical to my LAN to work on the problem. It looks like this:
t26 - a Pi with the OS cloned from production
- NIC 1 is connected to my DSL modem, gets its IP from the modem
- NIC 2 is connected to my LAN (2 pcs in this case) and is "Shared to other computers" using the GUI network setup tool
Firewall: default zone is "drop"
- NIC 1 is in default zone
- tun0 (the VPN when running) is also in default
- NIC 2 is in the "internal" zone which allows only ssh
- the connection on NIC 2 has the address 10.42.0.1
- NIC 2 connects to a dumb hub
t13 - a laptop running Ubuntu Mate 18.04
the NIC connects to the hub and gets its IP address from the Pi which also acts as its gateway
t15 - a desktop running Linux Mint 19.2
the NIC connects to the hub and gets its IP address from the Pi which also acts as its gateway
t13 and t15 can both access the Internet and can ssh to one another and to t26. This is how my LAN is setup except with several more devices.
I created this rich rule in the firewall on the Pi Code:firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.42.0.13" reject' --zone internal The source address represents t13. Yes, I realize this is in the runtime and not permanent. That will come later if it works.
With the rule in effect I find:
t13 can still access the Internet
t15 can still access the Internet
t13 can ssh to t15 and vice versa
t13 can NOT ssh t26
Apparently the rule is "protecting" t16 from t13. It is allowing traffic from t13 to pass through to the Internet or to other computers on the LAN. Obviously this is not the desired result.
In my previous fight with this problem I use the expedient of assigning a static IP address to the device I wished to block and left the gateway blank. I am not sure if I can do that on the printer. The manual is not very detailed in the network area and I need to get my hands on it and explore the web interface. Still, I would like to know how to accomplish this with the firewall.
TIA,
Ken
My trusty old laser printer died Monday and I have a new one due tomorrow. The Amazon listing (I did NOT purchase it there) talked of a "Dash Replenishment" feature where the printer would automatically order toner when it was low or something like that. This makes me thing the printer may "phone home" which I consider unacceptable from a security standpoint. I am therefor again looking into blocking a single IP address on my LAN (the printer) from accessing the Internet.
I have a Raspberry Pi runnning Ubuntu Mate 18.04 setup as a gateway, router, firewall, DHCP and VPN sharing box for my LAN. I removed ufw and gufw and replaced them with firewalld and firewall-config which I am familiar with in CentOS. I setup a test environment identical to my LAN to work on the problem. It looks like this:
t26 - a Pi with the OS cloned from production
- NIC 1 is connected to my DSL modem, gets its IP from the modem
- NIC 2 is connected to my LAN (2 pcs in this case) and is "Shared to other computers" using the GUI network setup tool
Firewall: default zone is "drop"
- NIC 1 is in default zone
- tun0 (the VPN when running) is also in default
- NIC 2 is in the "internal" zone which allows only ssh
- the connection on NIC 2 has the address 10.42.0.1
- NIC 2 connects to a dumb hub
t13 - a laptop running Ubuntu Mate 18.04
the NIC connects to the hub and gets its IP address from the Pi which also acts as its gateway
t15 - a desktop running Linux Mint 19.2
the NIC connects to the hub and gets its IP address from the Pi which also acts as its gateway
t13 and t15 can both access the Internet and can ssh to one another and to t26. This is how my LAN is setup except with several more devices.
I created this rich rule in the firewall on the Pi Code:firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.42.0.13" reject' --zone internal The source address represents t13. Yes, I realize this is in the runtime and not permanent. That will come later if it works.
With the rule in effect I find:
t13 can still access the Internet
t15 can still access the Internet
t13 can ssh to t15 and vice versa
t13 can NOT ssh t26
Apparently the rule is "protecting" t16 from t13. It is allowing traffic from t13 to pass through to the Internet or to other computers on the LAN. Obviously this is not the desired result.
In my previous fight with this problem I use the expedient of assigning a static IP address to the device I wished to block and left the gateway blank. I am not sure if I can do that on the printer. The manual is not very detailed in the network area and I need to get my hands on it and explore the web interface. Still, I would like to know how to accomplish this with the firewall.
TIA,
Ken