I've pushed
v6.7.0
This version focuses on IOT security. Recently I acquired an
Annke DW81KE CCTV System (support SNBForums and use their Amazon link
) which gave me a great opportunity to test and implement IOT rules to prevent devices from calling home and not having to rely on the built in remote access features. As it stands, the current implementation will prevent devices from accessing WAN with two exceptions;
1) Most IOT devices directly connect to NTP servers to set the clock, so NTP traffic is allowed.
2) Remote access via the routers OpenVPN server.
What this means is you can lock down any IOT device that you don't want accessing WAN, but still have the ability to access it via LAN devices or remotely via VPN. This should significantly enhance security of more... obscure devices such as DVR systems, cameras, printers and anything else IOT related without losing any functionality.
To configure your "IOT Blacklist" you can use the following commands (or the respective menu options);
Code:
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8 ) Unban|Ban Single IOT Device (or CIDR) From Accessing WAN
( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban Multiple IOT Device(s) (or CIDR) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices
Stats for blocked packets will also show up in the appropriate section.
I'd also like to give Annke a shout out as their support team was a pleasure to work with and I can happily report in the last week on monitoring my devices traffic, there was not a single rogue packet. If you are in the market for an affordable CCTV system they have some great hardware.
Note; While this feature has been extensively tested, I only had a limited number of devices to test with (thanks
@ItsJarrett for being a beta tester). I am sure there will be devices with other requirements (SMTP etc) and I will look at adding more features down the road based on user feedback.
I would also like to add VLAN support in the future but as it currently stands this is completely undocumented and uncharted territory on HND devices due to the lack of the robocfg utility. So if anyone makes some headway there, feel free to reach out to me.