I have a Hisense TV. I was wondering if there’s an easy way to firewall their TV so that it only has access to Google Store and Netflix? Make it so the TV can’t reach anything else?

I don’t currently have any firewall. I have ddwrt as my main router. I can whip up a pihole if needed.

  • ASU_knowITall@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    2 years ago

    I am using PF Sense for a similar use case. You might need to allow a few other things (DNS, NTP).

  • Z-Waver@alien.top
    cake
    B
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    2 years ago

    Yes. You will need to use firewall rules to allow the IPs of the desired services and then deny all other traffic to-from the TV.

    You’re challenge is that DDWRT only supports numeric IP addresses in its rules, and not Fully Qualified Domain Names(FQDN). So, for your current firewall, you will need to create a list of all the desired IP addresses and then create allow rules for each, or each subnet(range). You’ll need to update this list regularly as the individual IPs change semi-frequently.

    A Pi Hole might work but it would be prone to leakage, letting undesired traffic pass, and not block hard coded IPs.

    If you had a firewall that allowed you to use FQDNs in rules/policies then you could easily achieve your goal. there are several somewhat pricey commercial firewalls that can do FQDN policies. On the free side, pfSense/OPNsense can do FQDN policies using aliases. There may also be others that I am not aware of.

  • dashid@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    2 years ago

    I did some work on locking down an Android tablet, found it quite hard to do. With CDNs etc in play, the IP ranges that need to be opened are quite vast and generic (i.e. lots of cloud providers that host half the Internet).

    I used Squid HTTP proxy for URL inspection, but still, many generic domains being connected to. And I found whether an app, including some Google system ones didn’t always respect the device’s proxy settings and would simply fail.

    For TVs, I’ve kinda gone meh, and isolated them from other devices, but given them Internet access.

    • androidusr@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 years ago

      ok, thanks for sharing your experience. Super useful to have someone go down a route before me.

  • luissantos87@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    2 years ago

    Short answer: most likely not achievable 100%. Long answer: possible if the right conditions are met.

    If someone tells you differently and provides a simple answer they most likely don’t fully understand the problem.

    There are only 2 ways to restrict traffic you either use a firewall or a proxy. firewalls work at the TCP/IP layer and proxies at http layer. Let’s focus on IP layer because these apps likely use HTTPS and SSL pinning making it impossible to proxy their requests without modifiyimg the app and the TV.

    To block it at the IP layer you need to know Netflix and Google IP addresses. Their services are highly dynamic and change IP addresses all the time.

    Google provides a list of IP addresses. Netflix I’m not sure. Read this page until the end: https://support.google.com/work/android/answer/10513641?hl=en

    You would need to scrape this information and update your firewall rules frequently to avoid it breaking. And this would not prevent access to other Google services.

    I think this is all very impractical and you are likely to give up during the process. A more reasonable setup is to do something that gets you closer to the final goal but has some flaws.

    You could block DNS resolution to all domains and only allow certain domains. This way only play store and Netflix domains could be accessed. This can be achieved by having a configurable DNS server like pihole https://pi-hole.net/.

    This won’t prevent your TV from accessing other services but it will tell your TV that they don’t exist or that they are located in the wrong IP address and your TV will fail to connect.

    But this is not perfect. If your TV has some hardcoded IP addresses or it uses a different protocol to resolve the domains it needs it will still be able to connect to external services.

    If your safety was on the line this method would likely not be viable but because your likely trying to protect from some general chinese corporation data gathering practices or preventing someone in your house to use the TV for other means this should be enough.

    • RydRychards@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      I’d recommend setting up the router so that “dns requests” are always forwarded to your pihole so that at least hardcoded dns servers are caught. Depends on the router how this can be done (if at all).

    • Me-and-thousand@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 years ago

      This. Good writing. I would add that you need log collection additionally on top of it. That will help to determine what is the baseline (bare Hisense) … then you deny-all and do whitelisting according your investigation and hunting. It can take weeks…

    • Enderwolf17@alien.top
      cake
      B
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 years ago

      This is the route and actually wouldn’t be too hard if you just read the logs while going to different pages on the TV or see if anyone has made a block list for your TV . It will just take time for you to get everything added.