All,
Consider the following
- a virus, malicious person, or by accident, a source address is set to
8.8.8.8
- you run a port scan to your job, a test IP, etc.
- They have intrusion detection
- They use Google DNS
It seems a DDoS attack could be very easily launched. Perhaps those
folks could sill consider making an ipset of allowed outbound IP addresses.
Also be careful how you block your own rules, an attacker spoofing the
IP of common addresses could cause DoS. If you were attempting to
connect to your IP, a man-in-the-middle attack (or someone who otherwise
learns the destination IP and port) would make it seem as you were
always blocked (but your firewall hits are greater than you expect).
Theres probably common if you change the port and your corporate network
team at work begin to see low bandwidth encrypted links on an unknown port.
73,
-Lynwood
KB3VWG
Marius at al,
I'm wondering if anyone has tried the new feature that sends RIP44. If
so I have a question. If you use the -a, does it remove those routes?
I need to account for this in a script I'm writing depending on if the
downstream device is on a WAN or if they have a private route/connection
between themselves. Since I use policy-based routing, I can keep the
false record for my own subnet on table 44 and encap file; but for
others (and other projects for AMPRNet), I can see this used to be
placed on a second device to provide a real-time looking-glass tool, etc.
- Lynwood
KB3VWG
Hey all, I recently got my gateway and ip block allocations all setup
including the DNS piece thanks to Brian and others.
I've got the tunnel defined on my router. When I run a TCPDUMP on the
physical interface that is hooked up to m169.228.66.251y cable modem, I am
not seeing any traffic from the 169.228.66.251 tunnel endpoint. Nor,
obviously, am I seeing any traffic on my tunnel interface.
How do I troubleshoot this?
Thanks
Craig
KC1ETB
> Do you have a firewall that drops by default?
> On my machine, I have to allow 520/udp from 44.0.0.1 to 520/udp at
> 244.0.0.9.
I have a firewall rule but it remains at zero. It is unclear where this packet
gets lost, when I run "tshark" the RIP transmission is seen, but when I insert
a rule "iptables -I amprinp -p udp -s 44.0.0.1 --dport 520 -j ACCEPT" at the top
of the list (this rule is selected by "iptables -A INPUT -i tunl0 -j amprinp")
it too does not see any traffic.
This worked OK in the past but it has suddenly stopped working some time ago, I
think about two years. That happened when there was a kernel update, no other changes.
Rob
Hello everyone,
I created a new ampr-ripd release according to some wishes of our members.
Changes:
- brought back option -r, to allow using multicast sockets by default
and raw sockets as a backup for systems with multicast issues. This will
hopefully sort out the firewall filtering inability on previous releases
since 1.13.
- added 2 new command line options, -F and -E (capital letters) which
allow the forwarding of raw AMPR-RIP messages on a specific interface
(-F) and optional to a specific address (-E), similar to the -f and -e
options. These RIP messages are raw copies of the incoming ones:
password it there and they appear every 5 minutes and will be missing if
no data arrives from the AMPR gateway.
- added the setting of the proper 44.0.0.1/32 route to conform to the
latest gateway changes.
Download:
http://www.yo2loj.ro/hamprojects/ampr-ripd-2.0.tgzhttp://yo2tm.ampr.org/hamprojects/ampr-ripd-2.0.tgz
Have fun,
Marius, YO2LOJ
> BTW, the encap file does not change much. On average, one line in it
> will change per hour, as a gateway with a dynamic address updates its
> address (and it's often the same gateway flipping between two or three
> addresses), but gateways come and go at a much lower rate -- I'd guess
> one or two a week. So you'd be pretty safe just FTPing and processing
> a new encap file perhaps once a day if it winds up being a chore.
The automation in the classic FTP client is a bit difficult to use, especially
when you want to use it for different sites, but the "wget" and "curl" programs
can easily fetch a fixed file from a fixed server with a fixed user/password
by combining them all into a URL: ftp://user:pass@server.domain/path/to/file
Of course when you fetch and process the file once a day, you will not
be able to use those gateways that change IP address once a day due
to local provider policy. But probably you'll never notice that... :-)
Rob
> I expect you could have more luck by looking in to SLAX scripting as it
> should not be to hard to do this fully from the junos api's
> I did not check this but i don't think the ipip driver would be
> standard.
Well, it is not very straightforward so when it is your first script you
are probably going to have a hard time...
In Linux there is a point-to-multipoint IP tunnel, much as was the case in JNOS
when this whole IPIP mesh was designed. You configure only a single IP
tunneling interface, usually called tunl0, and you put a set of routes in
the route table with the destination subnets, the tunl0 device, and the remote
endpoint of the tunnel as the gateway address. Like this:
44.2.2.0/24 via 216.218.207.198 dev tunl0 onlink
44.2.7.0/30 via 73.185.12.233 dev tunl0 onlink
44.2.10.0/29 via 104.49.12.130 dev tunl0 onlink
The onlink attribute is required to suppress the "gateway not reachable" warning
you would normally get when the gateway is not directly reachable from the system.
With this facility, the updating is relatively easy: just make sure the actual routing
table agrees with the distributed information, by adding and deleting single routes.
Without such point-to-multipoint tunneling, you will have to create a separate
tunnel interface for each gateway, and setup routes to the remote subnets pointing
to the correct gateway tunnel. Remember there are (way) more subnets than gateways,
you need to find the routes with the same remote gateway, and create only a single
tunnel device for those combinations, and point the matching subnet routes to that device.
To obtain the information about the subnets, you either listen to the RIP broadcasts
made by amprgw, or you regularly download the "encap.txt" which has this format:
route addprivate 44.2.2/24 encap 216.218.207.198
route addprivate 44.2.7/30 encap 73.185.12.233
route addprivate 44.2.10/29 encap 104.49.12.130
so you need to parse that and get the subnet and gateway fields from it.
(this format is the commandline format that JNOS used)
There is no separate "list of endpoints" so you have to create that yourself
from that list of routes (take the last field and put it in a list, removing
duplicates).
Now when you have written a script to transform this into commands to create
the proper tunnel devices and add the routes, the real fun begins!
The next time you get the information, you need to check if there are changes.
When there are, there usually will be a change of tunnel endpoint address (for
a gateway that is on a dynamic internet address). You will find several entries
in the information that suddenly have a different next hop address, but of course
they are not grouped together, they are scattered through the lines you received.
You will need to locate the correct tunnel device (which you will need to look up
using the *previous* table of received information) and change its endpoint.
But, there are other possibilities, ocurring less often: a subnet could have been
added or removed from a gateway (and maybe moved to another), a new gateway can be
added, or a gateway can be removed (with all its subnets).
And of course, combinations of the above, e.g. a gateway has its endpoint address
changed and at the same time adds or deletes a subnet.
That is probably a rare occurrence, but it should not cause disaster (like a crash).
Of course you could simplify things by just deleting everything (routes and devices)
and rebuilding it from zero whenever there is some change. But that could cause
brief interruptions of the routing and/or high load on the CPU.
Sure, it can be done. But for someone who is not experienced in programming in
general, and has to learn the scripting language for the particular platform as
well, it will be tough.
I would certainly advise to look at Marius' script for MikroTik, as it of course
has the algorithms described above. It would have to be rewritten in a different
language and the constructs to add/delete tunnel devices and routes will have to
be changed.
Rob
> I'm wondering of anyone has successfully got a gateway running in Amazon's EC2 service?
> I was thinking of using a raspberry pi with a tinc VPN to the EC2 instance to tie into my RF connection regardless of my IP address.
> I hit a wall when it came to getting ampr-ripd running.
It is a bit difficult to help you with such a problem description, but in general (I have no experience with EC2) you should
be aware that such services do not give you a fully virtualized machine where you can do what you want, but rather they
use Xen Paravirtualization where a modified kernel is running, and it often does not include the module required for
IPIP tunneling. That may be the wall you are hitting, but it would not be the problem of getting ampr-ripd running
but to actually get the tunl0 interface working. So you need to explain better what your problem is. Maybe it can be
worked around using another program by Marius: amprd.
I have a Raspberry Pi running at a hosting company and running the usual configuration for a gateway under Linux,
and of course that does not have that limitation. I have a VPN to it from home. Indeed it is a nice way to get a gateway
running without the trouble of getting the IPIP traffic to your home system.
(but it is not used much anymore as I now have a radio connection to the network)
Rob
I built a new inbound ports display https://gw.ampr.org/router/ports.svg
which shows a significant amount of traffic that SANS and others identify
as being aimed at vulnerable ports on various pieces of equipment.
I don't want to just block them, as they have legitimate uses, but if
you're running your own firewall, you might want to block them yourself
if you don't have any need for the legitimate use.
- Brian
I'm trying to access one of Brian's help documents but the connection
attempt to http://n1uro.ampr.org/linuxconf/amprnat.txt times out. Is
there an issue somewhere that might impact on my attempts?
Ray vk2tv
