Block SmartTV Communication (with Exceptions)

Hi together,

i am planning to block all the traffic originating from a SmartTV (Separate IOT-Wifi) to the outside (WAN/Internet). Only few services should be available to the TV, which i want to make available via Firewall exceptions.

The services which should still be usable are: Netflix, Disney-Plus, Youtube. As their IP adresses are not known in advance, this seems to be the moment for "ipsets" to shine, because dnsmasq should fill the ipsets with IP adresses obtained from DNS-Lookups on the fly.

The Setup:
First, the IP-Sets which should hold the IP adresses of the whitelisted services are created:

# Create and configure IP sets via firwall (Creates ipsets on router)
fw_ipset="streaming_portals_ipv4"
uci -q delete firewall.${fw_ipset}
uci set firewall.${fw_ipset}="ipset"
uci set firewall.${fw_ipset}.name="${fw_ipset}"
uci set firewall.${fw_ipset}.family="ipv4"
uci set firewall.${fw_ipset}.storage="hash"
uci set firewall.${fw_ipset}.match="ip" #dest_net
uci set firewall.${fw_ipset}.enabled=1

fw_ipset6="streaming_portals_ipv6"
uci -q delete firewall.${fw_ipset6}
uci set firewall.${fw_ipset6}="ipset"
uci set firewall.${fw_ipset6}.name="${fw_ipset6}"
uci set firewall.${fw_ipset6}.family="ipv6"
uci set firewall.${fw_ipset6}.storage="hash"
uci set firewall.${fw_ipset6}.match="ip" #dest_net
uci set firewall.${fw_ipset6}.enabled=1
uci commit firewall
/etc/init.d/firewall restart

The command ipset -L can be used to show, if they have been successfully created:

Name: streaming_portals_ipv4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 56
References: 0
Number of entries: 0
Members:

Name: streaming_portals_ipv6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 68
References: 0
Number of entries: 0
Members:

In the next step i want to tell dnsmasq to automatically populate / fill these ipsets with the results of the DNS lookups to the "to be whitelisted" domains:

#https://openwrt.org/docs/guide-user/base-system/dhcp#ipsets
dnsmasq_ipset_config="ss_domains" # Streaming service domains
uci -q delete dhcp.${dnsmasq_ipset_config}
uci set dhcp.${dnsmasq_ipset_config}="ipset"
uci add_list dhcp.${dnsmasq_ipset_config}.name="${fw_ipset}"
uci add_list dhcp.${dnsmasq_ipset_config}.name="${fw_ipset6}"
uci add_list dhcp.${dnsmasq_ipset_config}.domain="netflix.com"
uci add_list dhcp.${dnsmasq_ipset_config}.domain="disneyplus.com"
uci add_list dhcp.${dnsmasq_ipset_config}.domain="youtube.com"
uci commit dhcp
/etc/init.d/dnsmasq restart

To test if dnsmasq fills the ipsets, the following commands should be sufficient

wget netflix.com
wget disneyplus.com
wget youtube.com
ipset -L

However, the ipsets stay empty:

Name: streaming_portals_ipv4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 56
References: 0
Number of entries: 0
Members:

Name: streaming_portals_ipv6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 68
References: 0
Number of entries: 0
Members:

According to https://git.zx2c4.com/ipset-dns/about/ and https://openwrt.org/docs/guide-user/base-system/dhcp#ipsets the dnsmasq-full package, which can be installed via opkg install dnsmasq-full should offer this functionality.

How do i get my ipsets populated with the IP adresses of the Streaming Providers?

Thanks for your support!

1 Like

I found a solution ad will share it with you soon in more detail.
The key is to define the ipset for dnsmasq similar to this (However, the DNS-Names might be restricted stronger):

#DNS Names to be whitelisted
uci -q delete dhcp.@dnsmasq[0].ipset
#Netflix
uci add_list dhcp.@dnsmasq[0].ipset="/netflix.com/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/nflxso.net/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/nflximg.com/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/nflxvideo.net/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/akamai.net/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/akamaiedge.net/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/amazonaws.com/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/microsoft.com/${fw_ipset},${fw_ipset6}"

#DisneyPlus
uci add_list dhcp.@dnsmasq[0].ipset="/disneyplus.com/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/cloudfront.net/${fw_ipset},${fw_ipset6}"

#Youtube
uci add_list dhcp.@dnsmasq[0].ipset="/youtube.com/${fw_ipset},${fw_ipset6}"
uci add_list dhcp.@dnsmasq[0].ipset="/googlevideo.com/${fw_ipset},${fw_ipset6}"
uci commit dhcp
/etc/init.d/dnsmasq restart

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.