Firewalla is a simple but effective way to take control of your home network

Originally published at: https://boingboing.net/2020/01/28/firewalla-is-a-simple-but-effe.html

…

As a non technical person- how do I know these types of devices and services aren’t fronts for the various countries no such agencies or corporate info gathering?

“Firewalla is a simple but effective way (Insert Hostile Actor Here) to take control of your home network”

Short answer: you don’t… but…

Slightly longer answer: they appear to have done the box itself open source, so there’s a pretty good chance that a few folks like me have already skimmed or read code and that raises the chance that someone would spot blatant malfeasance. (Edit: Also, raises the chance that they’ve re-used well-tested, open source libraries as a base.)

I do have the skills to set all of this up. It’s more than a little tedious when you don’t do it for a living and have to open up a bunch of manuals each time you change something. The best an “unskilled” person can do is find an open source solution that gets you 90% of the way.

At first glance, this is a very good price for what you get. If there was bad behaviour it would probably be in the app, specifically either in the handset itself (for which you have no defense) or in libraries linked to accomplish various tasks (for which you have little defense). At least, that’s where I would put it…

The first thing I do when considering such devices is begin reading reviews on all the tech sites that I can find. If there’s going to be a problem with it, one of them will have already sussed it out and commented on it.

Interesting. It is apparently running on a NanoPi Neo board (around $10 directly from FriendlyElec), with the blue one on a NanoPi Neo2 (around $20), so what you’re paying for is the user-friendly software. You already get pretty good network monitoring on commercial routers (such as MikroTik routers that run under well $100), but that software is designed for network professionals and isn’t too easy for home users. This suggests that somewhere out there is a good software project waiting to happen. (I don’t know how this compares to software systems like Nagios that already exist for ARM-based computers.)

ETA after @Simon_Clift’s post: if the software is really opensource, then since the HW is both cheap and easily available is what one is paying for just the customer support?

I don’t understand some of the features. How can a device which plugs into the client side of a router prevent peer devices on the same network from accessing websites? I can do this on my routers, but on a PC only by logging into the administrative interface of the router.

How can a device which plugs into the client side of a router prevent peer devices on the same network from accessing websites?

Skimming the code, it looks to be setting itself up as a dnsmasq server running your network’s DHCP and DNS services. Without spending a lot of time reading code, I’m guessing it’s relying on your average network device using DHCP and that device using its local DNS exclusively. (On my network, unknown devices making DHCP requests get given an IP address in a dark little room with no exits.)

Sadly, with (arguably) badly behaved protocols like DNS over HTTPS it gets unreliable to rely on catching packets on port 53.

(“Arguable” because it depends on who considers whom to be badly behaved and why. If your network overlord is the bad guy then DoH is your friend. If your kids are bypassing your network filters to get at Reddit, DoH is the enemy.)

Edit: bit of a red flag. The binaries for some things like dnsmasq are in the source tree, rather than the source itself. That’s still verifiable, but the user would need to replace that software with stuff they’ve compiled themselves to test it.

Edit: @d_r saving a few hours of my time on grief and maintenance is, theory, worth the price. I’m getting to the age where I need a compelling argument for DIY (not that I don’t talk myself into doing lots of stuff I probably should leave to other people ).

Why not just, y’know, demand a better router with better software?

Previously:

Thanks. So basically like Pi-Hole. Doesn’t seem either the easiest to set up or the most foolproof, but I think the only way to really do this securely is to be the router.

saving a few hours of my time on grief and maintenance is, theory, worth the price

I agree, though nowadays most useful support for products like this end up being through user forums anyway.

This topic was automatically closed after 5 days. New replies are no longer allowed.