Claude Code Rebuilds Ancient Enigma2 Firewall

[el bandido]

For me personally, by far one of the best performances from Claude Code is this firewall, It will need to be tested on other receivers, but works nicely on the Octagon SF8008. The latest version (enigma2-plugin-security-firewall_1.0-r18_cortexa15hf-neon-vfpv4.ipk) Is not in the feeds or in a build. The firewall in OpenPLi feeds goes back a number of years, and probably around 2011 was the last working version. A lot of time and effort went into updating this plugin, mainly for my personal use, but also to be included in the TNAP builds.

Attached are two lengthy and perhaps at a point, boring documents about the efforts that went into this firewall, with at current count, 18 versions of the thing being made and rejected for one reason or another, or an improved version of the previous version. A lot of testing has gone into this firewall plugin, and it has been tested, proven to work as advertised. There can be no guarantee of individual results a user will have, and there is no such thing as a secure website or computer. But we do the best we can.

One file will need to be edited probably for each individual because each internet ip addresses will be expected to be different. Editing the file is easy, and can be done with Telnet, FTP, or plugins currently installed or available in TNAP images. The design of this firewall is simple: Let the few ip addresses through that the individual user needs, and block the rest! An onboard logger is also included. The logger shows the ip addresses of the attackers and also the port they were attacking.

Note: This Firewall is Useless If It is Turned OFF!
Do not depend on this firewall without checking it. If it is off, then you are subject to attackers. This firewall was updated and rebuilt to be used for streaming on the Internet using OpenWebif. It is but one piece of multi-layered security system. Using OpenWebif to stream over the Internet already requires a username and password. OpenWebif in TNAP was hardened a bit to discourage or confuse brute force attackers. A decent, long password should be considered for Internet streaming as that is your first line of defense, or last line of defense, depending on how you look at it.

Summaries from Claude Code are attached. They should be read in detail if you are considering the use of this firewall.

To be available in a future build, Revision r18 shown below.

 

[el bandido]

Added an Active connections monitor:

 

[el bandido]

Version 24 (1.0r24) of the firewall plugin has the Edision 4k receivers working correctly. There is a kernel difference, 4.4.35 for the Octagon SF8008 and similar receivers, while the Edision 4K receivers use kernel 5.15. So an image that has a working firewall for the Edision 4K receivers will be 1010-2025 and up.

 

[cyberham]

By jove...I have the firewall working. I even changed my root password. I've added my Edision and GT Media receivers and I can still log in using ftp, telnet as well as stream to my PC and Android phone. I should go buy a lottery ticket.

 

[el bandido]

Excellent that it works for you!
A lot of work went into this plugin, and it works as designed. In the firewall main menu, press the menu button on the remote, then press the blue button on the remote followed by the OK button. This will trigger the Intrusion Attempts Monitor and start logging ip addresses that attempt entry as shown:


Then go over to the OpenWebif plugin and open its menu:


Press the Blue remote button to see actual OpenWebif login attempts. There is built-in Brute Force attack protection in this plugin in case you are connected to the Internet and the firewall is off or somehow breached. ALL connections or attempts to connect to OpenWebif will be shown here when you are connected outside of the LAN (Internet). This allows us to stream from almost anywhere there is an Internet connection.



The firewall is much easier to setup than a VPN. But it could also be argued that it is not as secure either. But at the end of the day, we are only protecting a FTA receiver interface. Also important: The firewall is only as effective as what it is set to limit. So delete any ip addresses or ranges that are not needed. Recent firewall plugins have a Firewall Configuration Editor. Press the yellow button to use it.