Update rc.local #62
Update rc.local #62
Conversation
Suggestion to add more restrictive firewall rules to prevent the bot from talking to anywhere else in the world but the local network. The only exception are the telegram servers to enable the forks telegram bot.
|
I use the web interface forwarded through my router on another port. So i would have to build up a VPN instead to access my robot. |
|
Hmm, I think there are a number of issues here.
I would strongly recommend adding the restrictive iptables rules as we are in 2020 now and people should get the high security/privacy rules ba default. The could open the thing on their own by simply commenting out the drop line. At lease the config lines should be included, but commented out in the config. Most people have no clue about iptables nor will know how to let telegram get through after shutting down everything else. |
What about 10.0.0.0/8 and 172.16.0.0/12 ? |
Added all private network ranges to the allowed list.
|
Correct, thanks. Added those ranges to the iptables configuration, they are allowed now as well. |
Added an INPUT block to connections from the world with exception to local networks (and telegram). (Actually I think the INPUT chain should be flushed in the beginning as well, but as I not completely sure what is going on I did not add this line here.)
|
What about the Update Check of Valetudo RE in settings? I think with the actual iptables rules this won't be possible anymore. |
|
External NTP servers might also not work w/ this. |
|
Right, I did not know that there is an update check.
What‘s the curl for this?
pidator <[email protected]> schrieb am Di. 14. Jan. 2020 um 06:20:
… What about the Update Check of Valetudo RE in settings? I think with the
actual iptables rules this won't be possible anymore.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#62?email_source=notifications&email_token=AAFU6M7GMTUA6AI4KMPAMUDQ5VDSVA5CNFSM4KCP6QK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI3KKHI#issuecomment-574006557>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFU6M7BBCOMEFNZAJV2P53Q5VDSVANCNFSM4KCP6QKQ>
.
|
|
Right. Which servers are used by the system?
Matthias Aßhauer <[email protected]> schrieb am Di. 14. Jan. 2020 um
06:26:
… External NTP servers might also not work w/ this.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#62?email_source=notifications&email_token=AAFU6M4M3EL6ECCM3URHXFLQ5VEGVA5CNFSM4KCP6QK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI3KTIY#issuecomment-574007715>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFU6M25ONDIEHV5LGAGFZ3Q5VEGVANCNFSM4KCP6QKQ>
.
|
|
The update check accesses The default ntp setting afaik is |
I don't know if an external NTP server is necessary?! |
Not necessary, but the default config. And an internal ntp server can't become the default, because we don't even know the ip range of the users local network. |
There was a problem hiding this comment.
This will break Telegram in a very subtle way as soon as any political pressure or something else forces them to use other today unknown IP ranges. I would not do this.
For really paranoid firewalling I suggest to use "iptables -A FORWARD -m mac --mac-source $mac -j REJECT" or similar on the gateway of your home to block anything from the robot's mac address to leave your network. You should use a local NTP server then, like ntpd or (better) chrony.
Suggestion to add more restrictive firewall rules to prevent the bot from talking to anywhere else in the world but the local network.
The only exception are the telegram servers to enable the forks telegram bot.