I am in the process of trying to setup my firewall rules for home assistant. Is there a list anywhere of the known services/organizations/cidr used by Home Assistant? If not, could we start one here?
Would be nice to have instead of breaking things to identify good vs bad.
As a start, I am pretty sure 85.25.236.0/255.255.255.0 (BSB Services) is used for location by the iOS app.
The innate problem with this is, that those IPs and networks can change without any announcement. Hence I personally am unsure if this makes sense without some automated method of keeping such a list up to date. On the other hand I know from the rather small IT company I work for, that public IPs usually don’t change often, and if they do, it’s just a different within the same network. Ultimately everything keeps working by having the product point to a hostname, which in turn points to whatever IP address is currently the valid one.
That being said I want to outline the process I go through to determine IPs and networks I want to whitelist. I’m not sure if this is the ideal way (there will be more whitelisted than necessary), but so far it has served my purposes and may help others to gather such information for the components they want to use.
Using Netatmo as an example, this is the process I use to gather IP information
dev.netatmo.com
nslookup dev.netatmo.com. The result is a list of multiple IP addresses:Non-authoritative answer:
dev.netatmo.com canonical name = front.netatmo.net.
Name: front.netatmo.net
Address: 62.210.178.168
Name: front.netatmo.net
Address: 195.154.179.238
Name: front.netatmo.net
Address: 195.154.199.173
Name: front.netatmo.net
Address: 195.154.172.147
Name: front.netatmo.net
Address: 62.210.82.117
whois 62.210.178.168. The result (reduced to what matters) looks like this:inetnum: 62.210.128.0 - 62.210.255.255
...
% Information related to '62.210.0.0/16AS12876'
route: 62.210.0.0/16
...
origin: AS12876
whois query tells us, that the IP is within the range that’s displayed at inetnum. What we see at route is a a broader network, but that’s actually the complete range assigned to the company that owns this IP range. If you want to only trust the inetnum range or the complete one is up to you.origin: AS12876 actually reveals. This refers to the sum of networks the company with the assigned ASN 12876 owns. This can be looked up here: https://ipinfo.io/AS12876 (simply append any ASN to the base url)IP Address Ranges. Here we see all the networks assigned to the ASN. Knowing that Netatmo is a french company it’s probably safe to ignore the networks with dutch flags prepended. Detailed information about the network we are looking for can be found by clicking on the IP range: https://ipinfo.io/AS12876/62.210.0.0/16. From there we get to https://ipinfo.io/AS12876/62.210.0.0/16-62.210.178.0/23, and there we find the IP we started from: https://ipinfo.io/62.210.178.168. And as we see now by looking at the hostname, this belongs to Netatmo.nslookup, there also were some starting with 51.... And indeed, the network 51.15.0.0/16 is also listed here.Browsing through the whole ASN to find everything related to your target IP may be a bit overkill. But I personally consider it safer to whitelist any (or a few) network of the AS12876 that’s called ONLINE SAS. This includes way more than necessary, but it also does NOT include anything that’s directly related to some-dangerous-country. So this approach ensures the required IPs get access in almost any case, while at the same time not whitelisting anything that’s totally unrelated.
The same could be done for Google (ASN15169, although they maybe have other ASNs too) to generically allow Google traffic when using Google Home etc… Again, this whitelists way more than needed if you just use every network that’s being listed. But if you trust Google you probably won’t expect any attack originating from their servers. And of course you can follow the rabbit down the hole as I did above to get more specific about used networks and IPs you see connecting to your machine.
Another possibly useful bit of information:
The example with Netatmo and their parent ASN is easily comprehensible. If for example we look at AS3320 (Deutsche Telekom, big ISP in Germany), you see they have over 500 networks, also including ones from all around the world and totally unrelated to their own businnes.
On the other hand, the ISP customers with dynamic IP addresses will most definitely get their IP out of one of the listed pools. So if you expose HASS to the web, you could simply whitelist all the networks directly related to the Telekom and could be pretty sure, that you will always have access if your mobile ISP is Telekom as well.
Thank you for your response. I do appreciate the information and will work through it when I have a minute.
Problem one though, your example starts out with a known:
The Netatmo documentation states, that the cloud-services are reachable under dev.netatmo.com
Say for example, I needed to know what services and/or networks the homebridge plugin and homebridge use to track a phone.
I think the change is fine as long as we keep a master list in the first post. I would be willing to keep up with any edits.
Well, I guess that knowledge is inherently necessary. If the vendors of cloud-solutions don’t publish at least some hint, then you have to manually look at the traffic. Or you go through the ASN-method which I have mentioned. Lets say you want to whitelist Microsoft because you use some of their cloud stuff. The information you get can be seen at AS8075. Allow access from all IP ranges and everything should be fine. The same can be done for Apple or other big companies. If you aim for a finer granularity, there’s no other choice than continuously monitoring the traffic. As I said before, IPs change over time. So whitelisting single IPs isn’t a durable solution. Using the networks companies have on the other hand should be pretty robust.
With this forum software it’s not possible to update the initial post endlessly. I suggest creating a repository at GitHub where others can contribute. There could be just a bunch of text files named by the components or vendors it targets and just contain one IP/network per line. That’s easy to parse with bash or any other scripting language that can use those lists to create firewall rules.