Jerry,
Are you talking about the BBS Hierarchical Addressing Protocol that is
common with people running NOS BBS'es?
ftp://ftp.tapr.org/bbssig/recommendations/hierarchical
In all honesty from what I remember it's a lot of manual
configuration, that really seems quaint to me since all the NOS
programs also speak SMTP, the standard today.
It would seem the same could be accomplished using SMTP standards by
setting up some mail aliases.
I'm going to recommend the TAPR NOS-BBS list for (Hierarchical
forwarding) things of the non 21st century:
https://www.tapr.org/mailman/listinfo/nos-bbs
---- Quote ----
Is there anything written on the operation of amper.org mail forwarding? We
routinely run h-address packet mail forwarding and I see some ampr.org mail
bulletins coming in from all over the world. I’m interested in the
addressing, routing, and just how does this mail forward. I run Ubuntu Linux
JNOS latest version.
Jerry, N0MR
Is there anything written on the operation of amper.org mail forwarding? We
routinely run h-address packet mail forwarding and I see some ampr.org mail
bulletins coming in from all over the world. I’m interested in the
addressing, routing, and just how does this mail forward. I run Ubuntu Linux
JNOS latest version.
Jerry, N0MR
"Loss of communications can only mean one thing... INVASION."
Sorry guys, someone had to say it ;-)
Assi kk7kx
-----Original Message-----
From: 44net-bounces+assi=kiloxray.com(a)hamradio.ucsd.edu
[mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Paul
Lewis
Sent: Tuesday, July 07, 2015 9:11 AM
To: AMPRNet working group
Subject: Re: [44net] Is the Portal down
(Please trim inclusions from previous messages)
_______________________________________________
Hi Brian
Thanks for the confirmation that the services are down.
73 de Paul G4APL GB7CIP
--
paul(a)skywaves.demon.co.uk
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
> Subject:
> [44net] Gateway filtering?
> From:
> Steve L <kb9mwr(a)gmail.com>
> Date:
> 07/03/2015 09:05 PM
>
> To:
> "44net(a)hamradio.ucsd.edu" <44net(a)hamradio.ucsd.edu>
>
>
> A few hosts behind my gateway want to accept general inbound internet
> connections.
>
> As discussed earlier there is a lot of crap and the gateway I run is
> off a residential internet connection. Combine that with some limited
> bandwidth radio links.
>
> I have been thinking about applying some IP blacklists using the ipset tool.
>
> ex:https://github.com/trick77/ipset-blacklist
>
> I am not super savvy on the more advanced functions of tcpip in the
> Linux networking stack.
>
> Since those in all the inbound packets from the internet are
> encapsulated at UCSD, how can I apply blacklisting? Can I apply them
> to the eth1 (wireless lan) output interface somehow?
>
> Examples are especially helpful.
>
> Thanks
>
> Steve, kb9mwr
>
I use this a lot in the Dutch gateway. First, I have an ipset that is loaded with the
list of allocated addresses within 44.137.0.0/16. You don't need to do that when you
are behind the UCSD gateway, but we have a BGP-advertised /16 so we get a lot of
crap for addresses that are not allocated.
Then, there is an ipset that is loaded with addresses of persistent abusers like shodan.io.
Finally, I have an ipset with those addresses for which the user has indicated that they
want to receive inbound connections from outside 44.0.0.0/8. This works in combination
with an iptables -m state --state ESTABLISHED,RELATED entry that passes the traffic
related to outgoing connections.
As a lot of hams are not interested in providing connectivity to the large internet, this filter
removes a lot of incoming traffic that would otherwise be blocked further down the path.
(at their incoming firewall)
The use of these ipset filters in the firewall is quite simple:
# Drop traffic from abusers
$ipt -A amprifwd -m set --match-set Hackers src -j DROP
# Drop traffic for addresses not registered in DNS
$ipt -A amprifwd -m set ! --match-set PAnet dst -j DROP
# Allow related traffic
$ipt -A amprifwd -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop traffic to stations that don't want incoming from internet to HAMnet
$ipt -A amprifwd ! -s 44.0.0.0/8 -m set ! --match-set HAMnet dst -j DROP
# Drop invalid traffic (not related to existing connections) except TCP close-down traffic
$ipt -A amprifwd -p tcp --tcp-flags ACK,FIN ACK,FIN -j ACCEPT
$ipt -A amprifwd -p tcp --tcp-flags RST RST -j ACCEPT
$ipt -A amprifwd -m state --state INVALID -j DROP
# Accept remaining traffic
$ipt -A amprifwd -j ACCEPT
Of course you need to apply this filter to the FORWARD chain for traffic incoming on your
tunnel interface and being forwarded to your radio interface.
You can write such a filter (without the ESTABLISHED,RELATED part) for traffic forwarded
outbound as well. E.g. to block traffic from nonregistered addresses.
When loading the ipsets, it is important to note that you cannot delete a set that is in use in
iptables. So I use this method (in a script that reloads the sets e.g. after an address update):
ipset create HAMnet bitmap:ip range 44.137.0.0/16 2>/dev/null
ipset create HAMnet_new bitmap:ip range 44.137.0.0/16
ipset flush HAMnet_new
grep '^44\.137\.' hamnet | cut -f1 | while read ip
do
ipset add HAMnet_new $ip || echo "Failed to insert $ip in HAMnet_new"
done
ipset swap HAMnet_new HAMnet
ipset destroy HAMnet_new 2>/dev/null
This creates a new set, loads it with the data, then swaps it with the currently used set and
destroys that one. This operation is allowed while the set is in use, and of course is preferred
over just flushing the set and loading it, as during that brief time the filter could drop traffic.
Rob
A few hosts behind my gateway want to accept general inbound internet
connections.
As discussed earlier there is a lot of crap and the gateway I run is
off a residential internet connection. Combine that with some limited
bandwidth radio links.
I have been thinking about applying some IP blacklists using the ipset tool.
ex: https://github.com/trick77/ipset-blacklist
I am not super savvy on the more advanced functions of tcpip in the
Linux networking stack.
Since those in all the inbound packets from the internet are
encapsulated at UCSD, how can I apply blacklisting? Can I apply them
to the eth1 (wireless lan) output interface somehow?
Examples are especially helpful.
Thanks
Steve, kb9mwr
