info-beamer

Rules for a firewall in front of a Info-Beamer client


#1

Hello,
several installations of Info-Beamer are inside corporate buildings So far the IT departments have put the device on a fixed address, and opened every connection/port to and from the Raspberry on the corporate firewall.

But maybe this is too much.
What are the minimum ports/hostname/ips that need to be opened in order for an InfoBeamer hosted to work?
I suppose an HTTPS connection to infobeamer.com is needed, and what more? Who initiates the websocket connection?

A list (if publicly available) would be nice to give to those IT departments.

Thanks
Walter


#2

Have a look here: https://info-beamer.com/doc/device-setup#settinguphosted


#3

Thanks! Sorry for being so dumb, I’ve overlooked this section.
Wonderful as usual.


#4

Be aware that just allowing all IPs that for example sync.info-beamer.com resolves to probably won’t work reliably: Here’s what this resolves to from the office:

Non-authoritative answer:
Name:   sync.info-beamer.com
Address: 143.204.214.58
Name:   sync.info-beamer.com
Address: 143.204.214.81
Name:   sync.info-beamer.com
Address: 143.204.214.33
Name:   sync.info-beamer.com
Address: 143.204.214.108

and from some VM in New York:

Non-authoritative answer:
Name:   sync.info-beamer.com
Address: 52.85.89.33
Name:   sync.info-beamer.com
Address: 52.85.89.109
Name:   sync.info-beamer.com
Address: 52.85.89.116
Name:   sync.info-beamer.com
Address: 52.85.89.184

So it’s not using Anycast for global load balancing but geo location based DNS. You’d really have to figure out all possible IPs using the provided documentation. Might get fiddly rather soon. And that’s just for AWS CloudFront.


#5

Thanks.
So basically we should use hostnames, which I guess are not the best of things when speaking of firewalls? :slightly_frowning_face:


#6

That sounds like it will mostly works by accident then. I’m not sure how often those IPs change, but if they do, you’d have to resolve again. Doesn’t sound very reliable. Generally opening up 80/443 isn’t an option?


#7

Hi,

I guess that if we can ask to open just HTTP/HTTPS outgoing ports, it could be an option.
Really, it depends on the end client and sometimes their ITs are very picky about the rules they allow.

Will try this route
thanks
Walter