Hi there,
I wanna try haos at home with my knx system and see how it feel to work with it.
So I installed haos as descirped in the guide and putted it in a seperated network (isolated from the rest).
My opinion is that HAOS could be a very critical system for the IOT-Devices at Home, so I would strictly isolate that.
On the start from HAOS I See a lot of “outbound” traffic, so my question:
Is there any documentation about the requiered outbound destionations with including their ports available?
Or better, why HAOS need this outbound Connections? Cloud-Manage?
As in your Guidelines written, i see that HAOS should be the one and only data-secure-solution for home automation
On first load, HomeAssistant will source the required files to create an up to date instance.
After the initial install there are checks by the Supervisor to look for updated version info. The destination of this is in your supervisor logs.
After that, I think any other outbound traffic would be up to if you request an update to be installed or what integrations you have installed. The default weather integration for example needs to check periodically to update those values.
Then there is internal network traffic. Discovery is done via multiple protocols to look for other devices to add to Home Assistant. These are in default config and are integrations like SSDP, ZeroConf and DHCP discovery.
Im sure that others will chime in with what I have missed but those are the basics as I understand them.
Hi,
small feedback from my site to the requiered outbound connections, maybe anybody can give a short statemant about that.
Every-Time I restart HAOS I need an outbound Connection, otherwise the Integrations can get up.
Integrations I used for this test: KNX, Tasmota, victron, opnsense, mqtt
I am not able to change any configuration of the addons without outbound connections allowed. Especually, set the ‘credential-secret’ in Node-Red requieres an outbound connection !#!
Same with SSH and so on.
So please tell my for security-reason, why is this nessecary? I can’t understand that
Well, I can only tell you about Knx. It will require a connection to your IP Interface - UDP and maybe TCP. And Multicast on the usual group/port. Other than that no connections are made.
Check if those addons have the ‘i_like_to_be_pwned’ option in the configuration, if so, turn it on and it should hopefully bypass the need for a connection. I believe Frenck implemented a check for known compromised passwords against the haveibeenpwned.com database for the community addons.