English Forums > Tutorials and FAQs

allow specific URI on firewall

(1/1)

zyghom:
hi there,

So I put my all IoT devices in separate VLAN and of course I allowed them ... nothing ;-)
But there are exceptions which I would like to handle somehow.
Example: one of my IoT devices is sending data to wunderground.com - updating the weather station details.
Now, I am not sure how to build the rule to allow this communication to happen.
When I open the internet for this device - of course it works but that is not what I would like.
When I open only wunderground.com it does not work - as per logs this domain although hardcoded in this IoT device (I know because it is me who wrote the program for it) - it calls different IPs - it seems like this domain is hosted by AWS.
So sometimes I see in the logfile:

--- Code: --- 52.22.134.222 [ec2-52-22-134-222.compute-1.amazonaws.com]
--- End code ---
another time another IP:

--- Code: --- 54.159.105.134 [ec2-54-159-105-134.compute-1.amazonaws.com]
--- End code ---
So how to build the rule to allow this specific IoT device (I used its MAC as a source) to reach only specific domain (wunderground.com) irrespective of its IP (in case the domain has different IPs).

If I am not able to know how to unblock the destination, the next rule hits: "block the internet for all IoT devices" and no updates on wunderground.com

thx

meyergru:
There are two much different ways of blocking or allowing traffic:

1. IP-based, which is what you can do via firewall rules. In this case, you could only make an exception for all sites wunderground uses, which seems to be Amazon Elastic Cloud. You can do this if there is a list or IPs or netblock or a whole ASN for this. Be aware that by doing this, you essentially allow any service that uses EC2, not just wunderground. As it turns out, they use more shared services than just Amazon: https://www.netify.ai/resources/applications/weather-underground

2. Name-based URLs for HTTP(S) traffic, which you want here. However, in order to do this, you will have to intercept the traffic via a (transparent) proxy. Since your devices are IoT, they probably lack provisions to configure a proxy explicitely, so you have to setup a transparent proxy and allow the specific URLs there. Also, you probably cannot make the devices accept your transparent proxy's local CA if the traffic is encrypted.

But why bother? You already have all of your IoT devices on a separate VLAN. Let them phone home - they pose no security risk if they cannot access anything on your main LAN.

zyghom:
THANK YOU!

I love the last sentence: "let them phone home" ;-)

Since I installed opnsense and blocked IoT VLAN, I am ASTONISHED seeing how many of them are calling home (for help or extra money) - mainly it is... calling Amazon - all kinds of IoT devices - not only Chinese (btw which one is not done in China? probably none).

My IoT device I am talking about is self made temperature/humidity sensor that apart from updating my Home Assistant, also updates my weather station on wunderground.
Considering how much memory the device has, plus that it is supposed to sleep (so it must be as quick as possible) nothing more on the device is doable.

So I shall stay on unblocking entire traffic for this MAC address and... let it be ;-)

Navigation

[0] Message Index