Hey!
I got Kodi (Libreelec) on Raspi and want to use it in my own network.
And I want it to use Tor via SOCKS.
I first installed it in the GREEN network and configured it. It works.
Then I thought about the security and it’s a question: Is it better to install it in RED? Because of the addons (netflix, kodinerds). But then I must allow RED-IP for the TOR on ipfire. Is it lack of security or not? As I understand, it IS one, because one RED IP can get within the internal Network. So is it better to install the Box in the Green network, even with the addons?
I am not following. The red zone is internet. It Is the entry point to the firewall. If you put a kodi box on the red side of your firewall, it means that you have another router taking the internet connection coming from your provider and routing it to IPFire, if you put kodi in the local area network of this router in front of IPFire, than it is on the red side of IPFire. This is what you are talking about?
If yes, It has no protection from the firewall. If you do not care, go ahead. About any risk for the green network, unless you create special rules to allow traffic from kodi to go inside the green network (usually you need a destination nat for that) it is not different from any other possible attack coming from any other host in internet.
I think you only need to decide if you need IPFire to protect kodi. Regarding a potential surface of attack for the rest of the network, unless you write some specific rule in the firewall to allow access from the red side to green side, there is no increased danger.
The thing is, that I can not understand the level of trust for the kodi apps (not from libreelec directly, but from the most used sources / forgot the names of them). I suppose, they are not so very trustfull. To have them within the GREEN is probably not so wise. So, is it a better solution to put kodi to the RED.
What is about tor on ipfire? Even if the libreelec seems to have problems with the SOCKS proxy, I want to try to use it. But how can I do it?
FW rule: kodi-IP in RED allow to ipfire in GREEN with destination NAT and TCP 9050
tor has just GREEN and BLUE as allowed subnet, so I suppose I must allow RED, isn’t it? (By the way, I did that, just to try, but it seems not to work).
But is it not a security problem, if I allow RED to connect to the GREEN ipfire (even for tor)??
I think you have to set in the port forward rule as destination the firewall (meaning, IPFire machine).
Of course it is.
I think you have two options for a sensible topology of the network:
put kodi machine in green and write a set of rules to block any traffic from kodi to the rest of the green network, except the tor traffic and the outbound internet traffic; not ideal but feasible; test your rules if you do this;
Increase the number of network interfaces to have a DMZ (technically better but the tradeoff is the purchase of new hardware):
2a) Buy a “smart” (as in layer 3) switch and sort the traffic using the VLAN in the existing network interfaces;
2b) buy an extension ethernet card or even a usb/ethernet adapter (compatible with the linux kernel used by IPFire).
this is THE solution! USB-LAN-Adapter. But what adapter are compatible? I use ipfire 2.27 with 168 core.
The DuoBox I have here has 2 USB-ports. If I connect my USB-Lan-Adapter (I have two of them: Anker A8341 / LogiLink UA0184A v.2) and set every 4 Zones on active, It shows “remove” on the ORANGE instead of the adapter. So I think they are both not compatible.
Or must I do something special to activate the USB-LAB-Adapter?
Bought new one with ASIX 88179 chipset (Ugreen USB 3.0), connected it to the USB of my DuoBox, rebootet it and it still shows me “remove” or “reject” (I translate it from german) on ORANGE network (and no network card / adapter).
What do you mean by that?
As I understand, I must first set “type of the network configuration” to all 4 kinds of networks. There it sais to me, that I have just 3 and not 4 network cards. After that it just shows “remove” on ORANGE.
Wow… I must ask very stupid question
If I list the / on ipfire it shows “ipfire”, but if I “cd ipfire” it shows “no such file or directory”. Whats that??? So I can not read the logs.
#Edit: ok “cd …” helps but whats that directory, I was in?
Can not really find something, which has to do with USB-LAN-Adapter in “/var/log/message”
In “bootlog” I get:
ax88179_178a 3-2:1.0 eth0: register 'ax88179_178a' at usb-0000:00:14.0-2, ASIX AX88179 USB 3.0 Gigabit Ethernet, f8:e4:3b:92:ef:c0
Does it mean, that it mounts the adapter as data drive?? I have no usb flash connected to DuoBox. Or is it just the internal one and has nothing to do with the entry below?
The first element on each line ( you mixed several lines, I suppose ) is the time since system start. Each line reports a new event.
The event at 4.209290 registers the driver for the USB LAN adapter. So it should be found as network interface by setup.
The way to network selection ( for a german system )
Networking
Netzwerkkartenzuordnung
scroll down till " Möchten Sie diese Einstellungen ändern? " , OK
select ORANGE, press “Auswählen”
now you should be able to select your USB LAN interface ax88179-178a
Ok, just one more step to get the KODI-box running
I configured the ORANGE and set it to 10.x.x.0, configured the KODI-Box and set it to 10.x.x.1 with (first try) the gateway 10.x.x.0 (and second try with the gateway of the provider router). The network mask is on both (network card and KODI-Box) on 255.255.255.0. I also set the external DNS server in the Kodi-Box. As I understand, I need no firewall rule for ORANGE just to get with the KODI-Box to the Internet. In both cases (two different gateways, although I think that the 10.x.x.0 gateway is the right one) I got no connection.