I think that script is OK, except of course this line:
AMPRGW="<AMPRGW>"
Should be edited to the actual address of AMPRGW instead of that <AMPRGW>.
I think it is better to just put the literal address in the example code as this kind of substitutions
confuses people. When it changes, the Wiki can be updated. It is of course also possible to
look it up using DNS but that will require another dependant package e.g. "dig" and again may
confuse people.
>I tested it and it seems to work. Also believe diffutils doesn't need to
> be installed, either. I'll update the OpenWrt Wiki.
Correct, the diffutils was only required for the iptables version which uses the diff command to
generate changes once the table is initially loaded instead of replacing it from zero every time
as the ipset version does.
> I only noted it in this particular best practices/tools thread due to
> messages in SEP2018:
Yes that was a case where I actually received some "malicious" IPIP traffic, but ir happens quite
seldomly.
Of course it never hurts to lock down as well as possible, but I wanted to indicate that installing
this filter is not the full response to the security reminder that Brian posted. I hope people do
not think "Oh, Brian posted a security advisory and now there is this script that I do not yet
have so let's install it so my system is secured", as this is only a very small and probably
insignificant part of that whole security solution.
When someone wants quick-and-dirty solutions to the security problem, it is much better to
install some firewall rules according to this pattern:
- accept ESTABLISHED/RELATED
- accept new outgoing traffic
- accept new incoming traffic matching some specific addresses/ports/protocols
- drop everything else
It is usually easiest to have two of those rulesets, one that applies to traffic incoming on the
internet interface (where you want to accept protocol 4 using your ipset and not much else)
and one that applies to traffic incoming on the tunnel interface (where you are basically handling
AMPRnet traffic and may allow a bit more, but often you allow more from 44.0.0.0/8 than from other
addresses).
How complicated that ends up to be is of course dependent on what services your system(s)
should expose, but at least it drops everything that you usually do not want to serve to the outside,
like SNMP and DNS.
Rob
> All,
> I implemented the code update. It's been added to Firewall Wiki under the ipset-based script.
> http://wiki.ampr.org/wiki/Firewalls#ipset <http://wiki.ampr.org/wiki/Firewalls#ipset>
> Thanks Rob!
Those scripts were adapted from mails that I sent to the list, but there are some funny things
in the versions on the Wiki.
The first version (with iptables) has comments that really aren't correct.
You must have had other problems while debugging this, as neither "the if iptables ... construct
does not work" nor "there must be no spaces or empty lines here" are true.
Maybe you had files with CRLF line endings (Windows editor) and/or other issues that were resolved
by other changes and this comment was left in there.
if command
then
is the same as:
command
if [ $? eq 0 ]
then
there may be empty lines between the command and if, this is no problem,
but of course there should be NO thing like "echo $?" between those lines!
maybe you did that during testing. that will make it fail because the echo command will
not only display the value of $? but also the new value of $? will then be set to the result
of the echo command! -> always 0
In the second example, using "ipset", there is an "if ipset" command (see, here it is OK!)
but the "then" and the "else" branch contain exactly the same code.
I don't know how that came about, but of course in that case you can just remove the if, then and else
and put 1 instance of the code left-shifted under that.
Of course in this case you don't need the tempfile and can do everything in one go like this:
ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter $AMPRGW
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
ipset -A ipipfilter $ip
done
In my own systems I use a temporary ipset and swap them after completing the above, to avoid
the small time interval where the ipset is being filled and packets could be dropped.
For an ordinary user gw it probably isn't worth the trouble as this interval is quite short.
Of course, those filters are very useful against abuse of the gateway by people who send ipip
packets but are not part of AMPRnet (they could use it to hide their IP or to work their way
around parts of the firewall) but in practice I have found that most cases where this actually
happens are in fact hams who have misconfigured their gateway.
(e.g. the IPIP output goes out on another IP than they have configured as incoming for their gateway)
Don't think that adding this will solve any problems you have been faced with unless you are certain
that it was via IPIP abuse. There probably is another error in the firewall.
Rob
If your mailbox is located at or relayed by any of these domains:
att.netbtinternet.comestesvalley.net
free.fr
icloud.comlaposte.netmac.comn5kh.orgstpetebeach.net
thbt.fr
you may not have been getting some or all 44net email messages over
the past few days. What seems to have happened is that the mailing
list host, 'mailman.ampr.org', somehow got on somebody's spam list,
and some or all of the above domains started rejecting deliveries
from it.
Since it is often difficult and time-consuming to get back off such
a list, I've implemented a workaround for these domains that should
restore deliveries for you folks.
73 and Happy Computing!
- Brian
If you sent a message to the 44net mailing list in the last hour
or so and haven't seen it distributed, it likely got lost in a
mailer glitch that I think I've fixed.
Please resend it.
Sorry for the hassle.
- Brian
Roger,
I wrote the OpenWrt Wiki and my allocation has been live at 44.60.44.0/24 for years on my devices. Getting the tunnel interface active is the first step.
* I'm not sure what network and firewall configs you want, as MY EXACT CONFIGS ARE ALREADY POSTED IN THE WIKI (I will re-post them in this email)
* Again, AMPRGW should be replaced with the IP of AMPRGW. The IP is located here: http://wiki.ampr.org/wiki/Services
| AMPRNet Gateway(AMPRGW) | 169.228.34.84 |
* If you created the interface and added the IP, I'm lost at how ampr-ripd is saying tunl0 doesn't exist. Are you sure that you followed the Wiki instructions and added the script to STARTUP???
-------------------------------------
Pipermail did not permit me to post the configs, I emailed the configs directly to your personal inbox.
73,
- Lynwood
KB3VWG
Hi,
I’m following the instructions at the below link to use OpenWRT as a 44Net gateway. I’m confused about some of the instructions. What should <AMPRGW> be replace with in the route.
This has me confused as well:
“an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.”
I created the AMPRNET interface but i put the 44Net allocation ip in the gateway of that interface, reboot after doing everything else, I get an error from Ampr-ripd that the interface doesn’t exist.
If anyone has done this on a OpenWRT router, would you be willing to share your firewall and network config files so that I can learn what I’m doing wrong.
http://wiki.ampr.org/wiki/Setting_up_a_gateway_on_OpenWRT
Thanks
Roger
VA7LBB
Also - from your post, did you follow the steps to install IP-full so the startup script would create the tunnel interface?
In addition, did you compile ampr-ripd?
null
Roger,
AMPRGW should be replaced with the IP of AMPRGW.See: http://wiki.ampr.org/wiki/Services for those details.
You don't need a "Gateway" to the tunnel, as it's a Layer 3. You do need to assign an IP from your range to a VLAN/bridge if you will make a: VLAN, port/ SSID, etc. for your allocation to "live."
What issues are you having with network and firewall configs?You never actually said what's wrong.
Feel free to ask me any more questions, or private email me for landline.
73,
- Lynwood
KB3VWG
-----Original Message-----
From: 44net-request <44net-request(a)mailman.ampr.org>
To: 44net <44net(a)mailman.ampr.org>
Sent: Tue, Jan 8, 2019 3:00 pm
Subject: 44Net Digest, Vol 8, Issue 3
Send 44Net mailing list submissions to
44net(a)mailman.ampr.org
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.ampr.org/mailman/listinfo/44net
or, via email, send a message with subject or body 'help' to
44net-request(a)mailman.ampr.org
You can reach the person managing the list at
44net-owner(a)mailman.ampr.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of 44Net digest..."
Today's Topics:
1. OpenWRT AMPRNet config (Roger)
----------------------------------------------------------------------
Message: 1
Date: Mon, 7 Jan 2019 12:32:53 -0800
From: Roger <va7lbb(a)rezgas.com>
To: 44net(a)mailman.ampr.org
Subject: [44net] OpenWRT AMPRNet config
Message-ID: <CC7E3091-3982-478B-A5C2-7F83E5D0AE30(a)rezgas.com>
Content-Type: text/plain; charset=utf-8
Hi,
I?m following the instructions at the below link to use OpenWRT as a 44Net gateway. I?m confused about some of the instructions. What should <AMPRGW> be replace with in the route.
This has me confused as well:
?an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.?
I created the AMPRNET interface but i put the 44Net allocation ip in the gateway of that interface, reboot after doing everything else, I get an error from Ampr-ripd that the interface doesn?t exist.
If anyone has done this on a OpenWRT router, would you be willing to share your firewall and network config files so that I can learn what I?m doing wrong.
http://wiki.ampr.org/wiki/Setting_up_a_gateway_on_OpenWRT
Thanks
Roger
VA7LBB
------------------------------
Subject: Digest Footer
_______________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
------------------------------
End of 44Net Digest, Vol 8, Issue 3
***********************************
Hi,
I’m following the instructions at the below link to use OpenWRT as a 44Net gateway. I’m confused about some of the instructions. What should <AMPRGW> be replace with in the route.
This has me confused as well:
“an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.”
I created the AMPRNET interface but i put the 44Net allocation ip in the gateway of that interface, reboot after doing everything else, I get an error from Ampr-ripd that the interface doesn’t exist.
If anyone has done this on a OpenWRT router, would you be willing to share your firewall and network config files so that I can learn what I’m doing wrong.
http://wiki.ampr.org/wiki/Setting_up_a_gateway_on_OpenWRT
Thanks
Roger
VA7LBB
