About fw updates blocking ... again
Posted: Sun Oct 16, 2016 9:03 pm
Hi, my little contribution about the well known subject ?
Many routers are not flexible/powerful enough to set firewall rules (the only reliable way to block updates) and other features such as ?url filtering? or ?parental control? are no good for https urls.
In these cases, the only solution to go is OpenDns feature called ?Web Content Filtering?, by which we can setup some domains to block.
Anyway, for OpenDns filtering to work properly, OpenDns has to know our ip address (so that it can apply our rules to our dns requests) but, unless we have a static ip, we have to notify our ip to OpenDns at every ip renewal (typically network disconnections, modem/router reboot, etc ?).
This job is automatically done by OpenDns Updater client (it?s just like a DDNS updater) which can run in PCs but also in routers and checks at given time intervals if ip address has changed.
But even with this scenario (OpenDns) don?t think you are safe about blocking updates !
When your line disconnects/reconnects and you have e new ip address, there is a little time frame with no protection at all (until OpenDns updater sends new ip to OpenDns servers): if Sammy TV is faster than OpenDns updater, your ip is unkown to OpenDns and DNS query performed by TV will have no filter and firmware update will take place.
So, IMHO OpenDns is not 100% safe to block updates and sooner or later a firmware update will go through.
But I think we have a simpler solution ? and here I ask for confirmations from Developers ?
Suppose we have root privileges, we disconnect network, setup etc/hosts file with well known ?127.0.0.1 msecnd.net? and ?127.0.0.1 samsungotn.net?, reboot TV, reconnect network.
Now our TV should block 100% fw updates.
Where am I wrong ?
Of course, I understand it's hard (if not impossible) to have root on latest firmware so, in the meantime, until root will be released on a given fw level, we have to keep network disconnected, or hope our ip changes are few and OpenDns updater is always very fast.
Many routers are not flexible/powerful enough to set firewall rules (the only reliable way to block updates) and other features such as ?url filtering? or ?parental control? are no good for https urls.
In these cases, the only solution to go is OpenDns feature called ?Web Content Filtering?, by which we can setup some domains to block.
Anyway, for OpenDns filtering to work properly, OpenDns has to know our ip address (so that it can apply our rules to our dns requests) but, unless we have a static ip, we have to notify our ip to OpenDns at every ip renewal (typically network disconnections, modem/router reboot, etc ?).
This job is automatically done by OpenDns Updater client (it?s just like a DDNS updater) which can run in PCs but also in routers and checks at given time intervals if ip address has changed.
But even with this scenario (OpenDns) don?t think you are safe about blocking updates !
When your line disconnects/reconnects and you have e new ip address, there is a little time frame with no protection at all (until OpenDns updater sends new ip to OpenDns servers): if Sammy TV is faster than OpenDns updater, your ip is unkown to OpenDns and DNS query performed by TV will have no filter and firmware update will take place.
So, IMHO OpenDns is not 100% safe to block updates and sooner or later a firmware update will go through.
But I think we have a simpler solution ? and here I ask for confirmations from Developers ?
Suppose we have root privileges, we disconnect network, setup etc/hosts file with well known ?127.0.0.1 msecnd.net? and ?127.0.0.1 samsungotn.net?, reboot TV, reconnect network.
Now our TV should block 100% fw updates.
Where am I wrong ?
Of course, I understand it's hard (if not impossible) to have root on latest firmware so, in the meantime, until root will be released on a given fw level, we have to keep network disconnected, or hope our ip changes are few and OpenDns updater is always very fast.
Here is where "you are wrong"