rand256
Update rc.local
Suggestion to add more restrictive firewall rules to prevent the bot from talking to anywhere else in the world but the local network. The only exception are the telegram servers to enable the forks telegram bot.
I use the web interface forwarded through my router on another port. So i would have to build up a VPN instead to access my robot. Not an option to me. Maybe this can be made selectable. So you can decide if it is accepting the requests from other locations or not. Otherwise this is no choice for people who want to control the robot from the external via their smartphones or other devices.
Hmm, I think there are a number of issues here.
- a second network connected to your home lan will be a local network as well, won't it? so 127.0.0.0/8 or 192.168.0.0/16 should allow that as well. All local lans should be in these ranges.
- if you are connecting from the outside from a static IP, then you should add an allowance line to the iptables config. You would definitely be an exception and not the general case.
- if you are connecting to the vacuum/your home lan from the outside, then you are exposing at least the vacuum to the world. Actually that would mean that you could definitely use the original stock image as well. In this case you should definitely consider using a VPN
- Using the telegram bot you could control the bot from the outside, even if anything else is closed. Quite secure and high privacy, as no undetected part of the firmware is doing anything to the net.
I would strongly recommend adding the restrictive iptables rules as we are in 2020 now and people should get the high security/privacy rules ba default. The could open the thing on their own by simply commenting out the drop line.
At lease the config lines should be included, but commented out in the config. Most people have no clue about iptables nor will know how to let telegram get through after shutting down everything else.
a second network connected to your home lan will be a local network as well, won't it? so 127.0.0.0/8 or 192.168.0.0/16 should allow that as well. All local lans should be in these ranges.
What about 10.0.0.0/8 and 172.16.0.0/12 ?
Correct, thanks. Added those ranges to the iptables configuration, they are allowed now as well.
What about the Update Check of Valetudo RE in settings? I think with the actual iptables rules this won't be possible anymore.
Right, I did not know that there is an update check. What‘s the curl for this?
pidator [email protected] schrieb am Di. 14. Jan. 2020 um 06:20:
What about the Update Check of Valetudo RE in settings? I think with the actual iptables rules this won't be possible anymore.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rand256/valetudo/pull/62?email_source=notifications&email_token=AAFU6M7GMTUA6AI4KMPAMUDQ5VDSVA5CNFSM4KCP6QK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI3KKHI#issuecomment-574006557, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFU6M7BBCOMEFNZAJV2P53Q5VDSVANCNFSM4KCP6QKQ .
Right. Which servers are used by the system?
Matthias Aßhauer [email protected] schrieb am Di. 14. Jan. 2020 um 06:26:
External NTP servers might also not work w/ this.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rand256/valetudo/pull/62?email_source=notifications&email_token=AAFU6M4M3EL6ECCM3URHXFLQ5VEGVA5CNFSM4KCP6QK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEI3KTIY#issuecomment-574007715, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFU6M25ONDIEHV5LGAGFZ3Q5VEGVANCNFSM4KCP6QKQ .
The update check accesses
https://api.github.com/repos/rand256/valetudo/releases, so probably a bunch of Github IPs and a bunch of AWS IPs.
The default ntp setting afaik is pool.ntp.org
External NTP servers might also not work w/ this.
I don't know if an external NTP server is necessary?! In my opinion I would use an internal NTP server for all of my home devices. So there's only one device (router) connected to an external NTP, all internal devices get the time of my router and so I've the same time on all my devices. So this would match @wlbr view of creating stricter rules to keep the robot "inside".
I don't know if an external NTP server is necessary?!
Not necessary, but the default config. And an internal ntp server can't become the default, because we don't even know the ip range of the users local network.