Project background image
Submitted By:Kenneth L. Anderson

Last fall, I installed surveillance, automation, and wifi for my home. I wanted to be able to the view camera video from my second residence or from anywhere else, so I connected the system to the Internet via a computer my son gave me that has two network interfaces. I installed Linux (free again), and was naively blissful for a week or two. Then, I noticed the Linux syslog recorded many, many login attempts and hacking attempts from ip addresses in China, Russia, North Korea, Sudan, etc. ad infinitum. This made me realize my need for a firewall. I researched and installed numerous firewall software packages and found they all suffered from a similar weakness - by default, they allowed the computer to be visible to all ip addresses of any origin. That certainly was NOT my idea of proper firewall operation! To configure them any other way was very much an uphill battle because, I think, their market is enterprises that intend to offer public internet services and want to be stranger-visible. Private home systems, on the other hand, aren't meant to offer access to anyone but the owner, so they should NOT be stranger-visible. I believe that this default paradigm of stranger-visibility not only is non-intuitive for a mere home-owner to use - but actually deceiving, considering the mental image that the term "firewall" induces. Determined to stop hackers from STEALING the Internet bandwidth that I pay for, besides their threatening to hack into my computer property, I developed a firewalling configuration (consisting of a iptables ruleset plus supporting bash script-set) that follows what I consider to be a more intuitive philosophy of being totally invisible to strangers. Works like a charm! I now have completely secure full remote access to my surveillance cameras and my home automation Arduino by virtue of the port knocking and "remote control via email" aspects I've included in it. Plus, it sends me text and email alerts for the events I need, like when it gets a new dynamic IP address (home-owner dynamic addresses are the default from ISPs), or whenever I or an imposter "port knocks" in, or I (or an imposter) whitelists through email a new location to communicate to, or if a malfunction occurs, etc. I am so impressed with how robust this more-than-a-firewalling solution has been working - without a hitch for 9 months now. I feel that its extraordinary robustness is a direct result of the project being developed in free-to-use Linux rather than costly-to-use Windows operating system, and in a shell script language (bash) rather than a compiled language like c. I am now developing a replication script to share the rule- and script-set with anyone else who needs firewalling, has a two-interface computer for it, and chooses Linux for the operating system. I think that owners of home wifi, automation, and surveillance systems especially could benefit from this. I have used DoSpace's Raspberry Pi's to ensure this ruleset and its replicator script installs and runs on them. My replicator script is in the final stages of development, beta-ready and free on GitHub for owners of two-interface computers currently in need of it. Search for POOFITEE (Perfect Owner-Only Firewall, Invisible To Everyone Else). If Internet visibility is acceptable to you, you can still offer public access to web pages, etc. with the advantage that you turn ON specific access rather than trying to chase down ports and services you have to turn OFF if you use the other firewalling solutions that start with everything turned on. Stay tuned: Using DoSpace Raspberry Pi's as my development platform and the virtual network interface feature of Linux, I hope soon to include the ability in this project to allow single-interface, low-cost Linux computers like the Raspberry Pi to work as firewalls. This is entirely possible by connecting it and their other network devices through an ethernet switch (instead of a hub, and not any more expensive) to their cable modem, then setting the firewall device only, its non-virtual interface specifically, as DHCP client.