Netgate SG-1000 microFirewall

Author Topic: Block cameras from everything but email  (Read 460 times)

0 Members and 1 Guest are viewing this topic.

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Block cameras from everything but email
« on: February 08, 2018, 10:55:42 am »
Hey guys, trying to get my Hikvision cameras to send email notifications.  I was trying to figure out why it wasn't working then I remembered i blocked all access to the internet for them so they don't get hijacked or hacked.  Is there any way to just let them send out emails but block everything else?   I have a block all rule in the firewall settings.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5609
  • Karma: +688/-23
    • View Profile
Re: Block cameras from everything but email
« Reply #1 on: February 08, 2018, 11:29:38 am »
Everything is done either by port or by src/dst address.  Use your block log to figure out how & where it's trying to talk to send emails, and then craft rules to specifically allow that traffic.

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #2 on: February 08, 2018, 12:41:13 pm »
thanks KOM, it just needs to get to googles email servers.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9825
  • Karma: +1111/-311
    • View Profile
Re: Block cameras from everything but email
« Reply #3 on: February 08, 2018, 02:02:14 pm »
Make an alias gmail_smtp_submit for FQDN smtp.gmail.com.

Put a pass rule above your block rule for TCP destination gmail_smtp_submit port 587
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Block cameras from everything but email
« Reply #4 on: February 09, 2018, 07:02:46 am »
thanks KOM, it just needs to get to googles email servers.
In that case, ask Google : https://support.google.com/a/answer/176600?hl=en  ;)

Offline wkearney99

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #5 on: February 10, 2018, 11:08:50 am »
Hey guys, trying to get my Hikvision cameras to send email notifications.  I was trying to figure out why it wasn't working then I remembered i blocked all access to the internet for them so they don't get hijacked or hacked.  Is there any way to just let them send out emails but block everything else?   I have a block all rule in the firewall settings.

I'd be tempted to set up an internal SMTP server and filter everything through that.  I rarely let devices send their own messages, unless there's no way to provision for a simple SMTP server on-site.  Doesn't have to handle all e-mail for everything, just for devices you want to supervise.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Block cameras from everything but email
« Reply #6 on: February 10, 2018, 11:28:30 am »
I'd be tempted to set up an internal SMTP server and filter everything through that.  I rarely let devices send their own messages, unless there's no way to provision for a simple SMTP server on-site.  Doesn't have to handle all e-mail for everything, just for devices you want to supervise.
As a last possible solution, yes.
"Local smtp servers" often don't have a correct reverse, no DKIM, bad or absent SPF, so no DMARC.
So, the mail receiver that receives the mail should be really tolerant ...
Remember, we are 2017 now, just starting a mail server and expect it to send mail, that period is over now.
A mail server that actually manages to drop mail in boxes should respect some rules now.

Open up an a destination address - or a whole bunch of addresses if it concerns gmail - and a destination port like "587" or "465" will lock down the device (camera) pretty well. If the camera goes haywire and sends many mails, well, Google might complain - as would any mail server for that matter.

Offline wkearney99

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #7 on: February 13, 2018, 09:34:54 am »
I'd expect the internal setup to be a mere forwarder, not a full-on handler of all local mail.  Just a gateway between internal devices and an upstream SMTP handler (like gmail, your ISP account, or whatever).  This as a point in-between to simply see what's being sent, and potentially to handle it otherwise.  Triggering other events is one option, as in have something local "do something" when a device message is sent.  For things detecting motion or other security events, if they're using e-mail you have that extra layer of delay. 

Tangentially my To Do list has an item for determining if it might be practical/useful to set up a firewall rule that detects when an on-site camera gateway device (Blink wireless cameras) sends a motion detected alert.  Right now they have no on-site interface, you're solely dependent on using their cloud service to trigger something like IFTTT. 

But I don't want to hijack the thread, more to the point of saying "there's more than one way to approach handling on-site devices".

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #8 on: February 13, 2018, 03:08:32 pm »
sorry guys, i wasn't getting notifications that there were more posts on this thread.. will read through now, thanks guys.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Block cameras from everything but email
« Reply #9 on: February 13, 2018, 03:55:51 pm »
@wkearney99: You're right.
A basic mail server like postfix, qmail (isn't it dead yet ?), or whatever, could be instructed (read : made brain dead) to pas-on the incoming 'local' mails via submission (port 587) or smtps (465) to upstream, real mail server.
Maintenance would be simplified - and you will have some control over all outgoings mails, which would be a great advantage if you have 'dumb' devices that were allowed to send mails by themselves.
Thanks for pointing that out.

Offline wkearney99

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #10 on: February 17, 2018, 07:26:04 pm »
Maintenance would be simplified - and you will have some control over all outgoings mails, which would be a great advantage if you have 'dumb' devices that were allowed to send mails by themselves.
Thanks for pointing that out.

Glad to have something helpful to add.   My feeling is it's better to have a 'choke point' that has logging to keep tabs on just what all these gizmos are trying to send, and to where.

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #11 on: February 18, 2018, 03:24:23 pm »
thanks guys, Derelicts suggestion worked..

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #12 on: February 19, 2018, 11:00:34 am »
guys, one other thing.. whatever I do, i cannot get the Hikvision to work with email and SSL.  How important is using encrypted email when they are always connected to my ISP network and are locked down?

Offline xman111

  • Full Member
  • ***
  • Posts: 208
  • Karma: +1/-0
    • View Profile
Re: Block cameras from everything but email
« Reply #13 on: February 19, 2018, 12:16:31 pm »
Derelict,

actually i thought it worked, i must have done something wrong.  i have since switched to using my shaw mail.  does this look right?  it works with the any/any but not with the other rule.




Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Block cameras from everything but email
« Reply #14 on: February 19, 2018, 12:20:50 pm »
You sure your shaw is using 587?  Your saying it works with that any any above but not when you remove the any any and the tcp shaw_smtp_submit should work for port 587

So either your alias is not right and its not resolving or IP/ranges you put in their are not right or its not using 587.  I would do a sniff while you send email so you know for SURE what its doing, then setup your rule for that.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)