Hi all,
With everything wanting for some reason or another to connect to the internet I was wandering if anyone has some piece of advise on how to protect a home from data leaks.
I was thinking of finding a device that would allow me to create a wifi network for this home devices (such as TV and what's not), monitor the connections created and have a white list of names and/or IP address that connections would be allowed.
Thanks in advance,
Miguel
Hi Miguel,
# Miguel Tavares [2016-09-03 10:45 +0200]:
I was thinking of finding a device that would allow me to create a wifi network for this home devices (such as TV and what's not), monitor the connections created and have a white list of names and/or IP address that connections would be allowed.
Recently I heard the state of the art is using for example the APU2 system by PC Engines, which is a fully Free Software compatible network device. For WiFi, PC Engines also sells compatible antennas. You can install a network firewall OS like IPFire or pfSense on it which should provide all features you mentioned (and lots more!).
Never used it but heard a few good reports about it.
Best, Max
Hello Max,
Thx for the reply. APU2 looks interesting more for a home server than just to serve as a firewall to the home IoT and multimedia devices.
I was actually looking more into a small router/firewall. I found out that there's some options, like rooting a small tp-link router I already own or just buying a router that already comes with OpenWRT by default. This last options are considerably more affordable (~30€) than an APU2 (~130€). The possible drawback is that the firmware probably contains binary blobs (I'm not sure if it does, I couldn't find out yet).
For home server for now I have a old fan less intel NUC working fine. When it needs updating a APU2 sure looks like a good option.
Maybe we FSFE should start a campaign on "free your home network" and protect your home data (like the free your android). On the other hand.. time seems to be a resource most of us are running out of to even keep the "free your android" campaign updated (my bad there too).
Regards, Miguel
On 05-09-2016 23:45, Max Mehl wrote:
Hi Miguel,
# Miguel Tavares [2016-09-03 10:45 +0200]:
I was thinking of finding a device that would allow me to create a wifi network for this home devices (such as TV and what's not), monitor the connections created and have a white list of names and/or IP address that connections would be allowed.
Recently I heard the state of the art is using for example the APU2 system by PC Engines, which is a fully Free Software compatible network device. For WiFi, PC Engines also sells compatible antennas. You can install a network firewall OS like IPFire or pfSense on it which should provide all features you mentioned (and lots more!).
Never used it but heard a few good reports about it.
Best, Max
Hi
Although I'm not sure they are taking more orders at this time, Turris Omnia just started production
It's based on openwrt and has a community of developers maintaining the firmware therefor allowing automatic update option.
I'm waiting for mine ...
Otherwise, what about a raspberry pi III with full blown debian and automatic security updates ? that was what I was about to order when I found out about omnia because my linksys doesn't allow enough features for what I want
freely yours, Ghyom
On Tue, 2016-09-06 at 10:33 +0200, Miguel Tavares wrote:
Hello Max,
Thx for the reply. APU2 looks interesting more for a home server than just to serve as a firewall to the home IoT and multimedia devices.
I was actually looking more into a small router/firewall. I found out that there's some options, like rooting a small tp-link router I already own or just buying a router that already comes with OpenWRT by default. This last options are considerably more affordable (~30€) than an APU2 (~130€). The possible drawback is that the firmware probably contains binary blobs (I'm not sure if it does, I couldn't find out yet).
For home server for now I have a old fan less intel NUC working fine. When it needs updating a APU2 sure looks like a good option.
Maybe we FSFE should start a campaign on "free your home network" and protect your home data (like the free your android). On the other hand.. time seems to be a resource most of us are running out of to even keep the "free your android" campaign updated (my bad there too).
Regards, Miguel
On 05-09-2016 23:45, Max Mehl wrote:
Hi Miguel,
# Miguel Tavares [2016-09-03 10:45 +0200]:
I was thinking of finding a device that would allow me to create a wifi network for this home devices (such as TV and what's not), monitor the connections created and have a white list of names and/or IP address that connections would be allowed.
Recently I heard the state of the art is using for example the APU2 system by PC Engines, which is a fully Free Software compatible network device. For WiFi, PC Engines also sells compatible antennas. You can install a network firewall OS like IPFire or pfSense on it which should provide all features you mentioned (and lots more!).
Never used it but heard a few good reports about it.
Best, Max
Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion
# Guillaume Lenoir [2016-09-06 13:14 +0200]:
Otherwise, what about a raspberry pi III with full blown debian and automatic security updates ? that was what I was about to order when I found out about omnia because my linksys doesn't allow enough features for what I want
That's what I thought as well but for a firewall the Raspi might have too little network bandwidth. The internal ethernet port is 10/100 only and the USB port which you would have to use to attach a WiFi antenna also has limited throughput. I guess it would work but if you route all network traffic through this device and share larger file among the computers be prepared to have the Raspi as a bottleneck.
Best, Max
Hi all,
That's what I thought as well but for a firewall the Raspi might have too little network bandwidth. The internal ethernet port is 10/100 only and the USB port which you would have to use to attach a WiFi antenna also has limited throughput.
Ethernet is connected via USB. The raspis are sh*t performance-wise.
Best wishes Michael
On 6 September 2016 09:33:58 BST, Miguel Tavares mtavares@fsfe.org wrote:
Hello Max,
Thx for the reply. APU2 looks interesting more for a home server than just to serve as a firewall to the home IoT and multimedia devices.
I was actually looking more into a small router/firewall. I found out that there's some options, like rooting a small tp-link router I already own or just buying a router that already comes with OpenWRT by default. This last options are considerably more affordable (~30€) than an APU2 (~130€). The possible drawback is that the firmware probably contains binary blobs (I'm not sure if it does, I couldn't find out yet).
Some of the really cheap routers (including many tp-link) have trouble powering some USB devices.
If you plan to use USB devices (especially modems) then you need to limit the choices. After having bad experiences with tp-link, I bought a more expensive Buffalo and have been happy with it.
That might (or not) be because their power supply doesn't provide the needed juice. But it's good advice to keep in mind.
I was trying to avoid talking about brands but I would actually like to know if anyone has experience with GL-iNet routers. The iNet 64** routers seems to hit a nice spot. They do claim to have their source in the trunk of OpenWrt, that's a plus.
On 06-09-2016 21:05, Daniel Pocock wrote:
Some of the really cheap routers (including many tp-link) have trouble powering some USB devices.
If you plan to use USB devices (especially modems) then you need to limit the choices. After having bad experiences with tp-link, I bought a more expensive Buffalo and have been happy with it.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/05/2016 04:45 PM, Max Mehl wrote:
Hi Miguel,
Recently I heard the state of the art is using for example the APU2 system by PC Engines, which is a fully Free Software compatible network device. For WiFi, PC Engines also sells compatible antennas. You can install a network firewall OS like IPFire or pfSense on it which should provide all features you mentioned (and lots more!).
Never used it but heard a few good reports about it.
Best, Max
Just to make sure this is known, the APU2 currently requires the AGESA binary to boot. It is not (yet?) fully libre:
https://review.coreboot.org/#/c/14138/10/src/mainboard/pcengines/apu2/Kconfi...
See in particular the USE_BLOBS select line.
The APU1 does not require blobs to boot and may be a better choice depending on application.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Getting any electronic device that doesn't require binary blobs is becoming impossible.. Being able to find devices that you can actually own (like being able to run your own code on it) is rather hard already. :(
I guess the only way this would improve is if vendors of devices with closed implementations would be held responsible for security of the devices.
On 06-09-2016 17:44, Timothy Pearson wrote:
On 09/05/2016 04:45 PM, Max Mehl wrote: Just to make sure this is known, the APU2 currently requires the AGESA binary to boot. It is not (yet?) fully libre:
https://review.coreboot.org/#/c/14138/10/src/mainboard/pcengines/apu2/Kconfi...
See in particular the USE_BLOBS select line.
The APU1 does not require blobs to boot and may be a better choice depending on application.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/07/2016 02:20 AM, Miguel Tavares wrote:
Getting any electronic device that doesn't require binary blobs is becoming impossible.. Being able to find devices that you can actually own (like being able to run your own code on it) is rather hard already. :(
I guess the only way this would improve is if vendors of devices with closed implementations would be held responsible for security of the devices.
I've been saying this exact thing for some time now. Here in the US I don't think it's possible, but I wonder if there are any other countries willing to entertain this idea?
Personally, if you "purchase" a device that you have no control over, no ability to modify, no ability to re-purpose, that can be upgraded / deactivated remotely, and that has to be thrown away when it no longer works, it should be legally treated as a leased item and the manufacturer should be held fully responsible when it no longer functions as intended. If it quacks like a duck, let's not call it a goose, OK? :-)
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com