[mythtv-users] Usefulness of firewall

Sat Aug 13 15:31:59 UTC 2022

On Sat, 13 Aug 2022 07:29:25 -0500, you wrote:

>On Thu, Aug 11 2022, James <jam at tigger.ws> wrote:
>
>>> On 10 Aug 2022, at 11:33 pm, Simon <linux at thehobsons.co.uk> wrote:
>>> 
>>>> If you have a modem/router and you are running an ipv4 network at home then any firewall within your network is totally without any value what so ever.
>>> 
>>> I disagree - (almost) totally.
>>
>> Actually I agree (I had not considered SOUP)
>>
>> Stephens comment
>>
>>> I have a separate IoT subnet where I put all my untrusted devices.
>>> That subnet has Internet access, but the only access it has to the
>>> rest of my network is to the DNS and NTP servers - anything else is
>>> blocked.  The parts of my network that are trusted can talk to the IoT
>>> subnet to access the devices as required.  The WiFi SSID on the IoT
>>> subnet is set up to disallow devices from talking to each other.
>>
>> But I need to think, offhand I don't see the ubiquitous modem/router being flexible enough to achieve this.
>
>It depends on the router you are using, but openwrt runs on many and can
>easily be configured to do what Stephen suggests. I will guesss that is
>what he is using.
>
>Leo

I do own an OpenWRT based router (Linksys WRT1900AC), but the main
router I am using at the moment is a Ubiquiti Edgerouter 4, with a
more powerful CPU.  OpenWRT and Edgerouters are similarly very
capable, but are less easy for novice users to set up.  The WiFi
access point I am using with the ER4 is a Ubiquiti FlexHD, which is
also very configurable.  I run three major subnets:

Inner - trusted devices (including the MythTV boxes)
Outer - guests
IoT - untrusted devices

and the WAN port and the Internet beyond it is also set up as though
it was a subnet (Outside).

Each internal subnet has Ethernet and WiFi parts bridged together in
my switch (Ubiquiti EdgeSwitch 24 Lite).  I use a zone firewall, where
each subnet is designated as a zone, and all four zones have sets of
rules for what is allowed between them (so 4x4 sets of rules).  This
is a bit complicated to set up initially, but now allows me to just
add things into an existing zone whenever I want to without having to
add any more firewall settings at all.  For example, to add a
Wireguard server, I would just designate its internal port as part of
the Inner zone and any connection via Wireguard would have full access
to my network from there.

I do not run local firewalls on my Linux boxes, but I do on my Windows
PC and the Windows boot of my old and new laptops.  That is because
Windows is such a dangerous thing to run - if it gets infected, you do
not want it to be able spread the infection to other Windows
installations.