44net

44net@mailman.ampr.org

3194 discussions

Re: [44net] firewall rules at AMPR.ORG router ?
by Rob Janssen 09 Apr '16

09 Apr '16

> Subject: > Re: [44net] firewall rules at AMPR.ORG router ? > From: > R P <ronenp(a)hotmail.com> > Date: > 04/08/2016 08:50 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > and if we talk on explain what is forward chain ? in and out i can understand but forward? > and also there are a lot of commands in the action that i dont understand beside reject drop accept > Where can i find description ? I forgot to mention this in yesterday's reply: In the "iptables" firewall, "forward" is the path that packets take through a router. It does not work as in a Cisco, where "forward" is just "input" followed by "output". "input" and "output" refer to traffic to/from the router itself, like the management interface and the processing of packets by the router e.g. for a tunnel that it has to encapsulate/decapsulate, but when packets are just routed they only pass through the "forward" table and not the "input" and "output" table. This can also be seen in the diagram that Marius posted. The actions in the entry can do other things than accepting/rejecting, e.g. logging the packet. Also a nice action that is notably missing from Cisco access lists is "jump". You can make your own table and put some rules in it that are required only for one interface or in one particular situation, then in the normal input (or forward) table you can match on that interface or situation and jump to your custom table. That way you do not need to put all rules in one long input table, and you can improve clarity and performance. For example, in an IPIP router you have rules you want to apply to the external interface, and rules you want to apply to the tunnel interface (which receives traffic for 44-address). You can put these in a separate table and make it easier to manage. Rob

1 0

Re: [44net] firewall rules at AMPR.ORG router ?
by Rob Janssen 09 Apr '16

09 Apr '16

> some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall > the new command wasn't known to me The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple access lists in a Cisco router. On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports. (there are some exceptions, e.g. "reflexive" access lists) On a MikroTik or Linux system there is a table of open connections (you can see it on a separate tab in the MikroTik router), and you can easily allow all traffic belonging to existing open connections. This means you don't need to do anything to allow replies to outgoing connections, other than having a rule that allows "established, related" in all directions and a rule that allows "new" in outgoing direction. (or just a rule that allows everything in outgoing direction) To allow some things in incoming direction (e.g. outside access to your IPIP tunnel), you need only to allow some new traffic matching a certain pattern. Once the connection completes, it will be in the connection table and again it will be matched by the "established, related" rule that you normally put at the top so it will be matched first. The checkpoint firewall of course also offers such features. In the default configuration, the MikroTik is delivered with some rules that allow "established, related", block other traffic incoming on ether1 (normally the internet port), and allow everything else. I don't like that, because once you add a new interface that is facing outside (like a tunnel), the default will be to allow new connections and thus it is possible to exploit the services on the router. Therefore I always replace such settings by a rule that allows "established, related", then one or more rules that allow "new" only from interfaces that I know are on the inside (trusted) side, then a rule that drops everything. So, a new interface is always by default untrusted until a new rule is added. Make sure that when you modify the firewall you always do it in such a sequence that you do not lock yourself out because you added the "drop" rule before the correct "accept" rules, for example. A way to avoid that is to click the "safe mode" button in the menu on the left, then make all your changes to the firewall and check that you can still navigate around the user interface (open the quick start page, for example) and when everything is OK click the "safe mode" button again so it pops back out. When you lose connectivity to the router while the safe mode is active, all changes you made after clicking it will be rolled back and you will have access again! When you reset safe mode, the changes are committed and you can logoff without losing them. (note that there is no separate "running" config and "saved" config, everything you change is always saved immediately. so a mistake cannot be corrected by power-cycling the router, as with a Cisco) Rob

4 3

Re: [44net] firewall rules at AMPR.ORG router ?
by Rob Janssen 08 Apr '16

08 Apr '16

> Subject: > Re: [44net] firewall rules at AMPR.ORG router ? > From: > R P <ronenp(a)hotmail.com> > Date: > 04/08/2016 08:50 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > Dear Rob > Thank you for Brief explain > Yes the Syntax of the Mikrotik is totally different then what i use to > Also the mikrotik is not popular here I had hard time to find stores that sell it and i think im the only amateur who use it here > The help that comes with the web interface is not so explainable do you know where i can find more explain on the commands (such as the explain you gave me about the establish and new and related) ? > and if we talk on explain what is forward chain ? in and out i can understand but forward? > and also there are a lot of commands in the action that i dont understand beside reject drop accept > Where can i find description ? As David also wrote: look for manuals of the Linux firewall, "iptables". What is written about iptables is directly applicable to MikroTik, but in the MikroTik you can enter the values in lots of fields on the webform whereas in iptables you enter those on the commandline. Also there is wiki.mikrotik.com for a lot of documentation, unfortunately it is oriented around the command-line interface but you generally find the same things in the web interface. Here the MikroTik routers are available at a couple of webshops, but not in the average highstreet computer store. The reason is that they are very advanced and most users will not know how to configure them beyond the simple generic configurations available from the quick start screen. But at features-for-price they are unbeatable. For example, at work I needed a router for a "workplace-on-the-go". I use a MikroTik router plus a 4G stick. It opens a VPN to our Cisco VPN router at the central office and routes some subnets both ways using iBGP. The box can be connected at the installation site automatically using either plain ethernet, guest WiFi, or 4G mobile internet. The routed subnet is accessible on ethernet and WiFi. We use this to connect a printer and a couple of laptops at a temporary office site, using the internet access that is available, or 4G if there is none. Total price for such a setup is about 150 euro when all hardware has to be bought, or 60 euro when the 4G stick is "free with a mobile subscription". The MikroTik is either a RB951G-2HnD or a hAP AC Lite. Not many other cheap routers can be WiFi access point and WiFi client at the same time, and are able to do a VPN and run a routing protocol over that. (simplifies the configuration, no static routes required) A similar Cisco (not ex-Linksys) router costs 5-20 times as much, and has less features. But, it still is not the most convenient router for AMPRnet! For that, a plain Linux box is to be preferred. We could try to install a Linux VM to bridge the gap between a standard router and the multipoint IPIP mesh plus modified RIP that we use and that is not supported in standard routers (either Cisco or MikroTik). Rob

1 0

firewall rules at AMPR.ORG router ?
by R P 07 Apr '16

07 Apr '16

Hi there after entering to the DNS attack business (as the one who is attacked) i think of the following Can an access list rule be done that will have rule per gateway subnet on the main AMPRNET ROUTER ? I mean if I have a 44.138.1.x that i will be able to have rules for my subnet as i want ? I ask it because the firewall rule i have added to the miKrotiK (thanks a lot to the ham who gave me the correct syntax) does the job but the tunnel to UCSD still flud with incoming DNS attack noise of about 500KB/s (of course that the router block them to pass through but if i could stop this attack before they even enter to the tunnel from UCSD to me) NB i still dont understand what is the point standing behind UDP flood may someone explain me ? I can understand telnet ftp ssh web attempt but not DNS flood may someone explain it to me ? one more point I have talked with a friend of myn which his job include networking he have a Fixed IP connected to Cisco ASA Firewall and he doesn't see any DNS attacks in the logs he saw here and there SIP attempts (i see at the 44 Net here also some UDP sip but it is almost 0 comparing the DNS attack) so it look like the DNS is related more to the AMPRNET and not to regular internet or maybe this is a coincidence anyway it is something i havent seen on the AMPRNET network we had 20 years ago Regards Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

4 5

Re: [44net] How to config mikrotik router for IPIP (and more)
by Rob Janssen 07 Apr '16

07 Apr '16

> Subject: > Re: [44net] How to config mikrotik router for IPIP (and more) > From: > Don Fanning <don(a)00100100.net> > Date: > 04/05/2016 04:54 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > Maybe this is a good opportunity for someone to create a basic distribution > that gets AMPRnet working on a RPi. 8G SD cards are incredibly cheap and > ship well or someone can write the image directly on them. Maybe if it's > packaged, profits could be sent to Brian for gateway maintenance/growth. I think it would be a good idea to create something like that. I have done images for another special-purpose Pi application, however in this case it probably needs a little more work to create a nice "setup" program that allows the user to enter the variable data and configures the Pi accordingly. (after all, the instructions that are already on wiki.ampr.org apparently are not enough to get people started, so providing an image and then tell them to edit config files and scripts will probably fail the same way) It is also clear that the default firewall should be OK, and users should be warned not to install things like open telnet servers on or behind the router. Rob

6 5

UDP DNS attacks at my 44 Net
by R P 06 Apr '16

06 Apr '16

Hi group Now when the mikrotik have a connections sessions screen i see about 150 (yesterday night it was 1200) UDP Port 53 (DNS)sessions coming from about 15 different sites each site have about 10 sessions total bandwidth it consume is 500 KB/s What is it ? why a site have to do 10 times DNS queries (or maybe it is a UDP session to port 53 but not a DNS query ) to my host where even no DNS server exist ? Is there anyone that can tell me the exact command to block it ? i have tried with the web interface to add a firewall rule but nothing happen it looks like im not giving the right rule Thanks Forward Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

3 3

ISP Router and Pi Cohabitation
by Geoff Joy -KE6QH- 05 Apr '16

05 Apr '16

I'm on FiOS (was Verizon now Frontier Comm.) and I'm considering buying a Pi for ampr.org connection. I'm pretty much stuck with the Verizon Actiontec MI424WR on the WAN due to ISP requirements and I'm wondering how it might be best to place the Pi on the LAN. Should it be in the DMZ or should it stay behind NAT? Feel free to email me off list if this is OT. -- Geoff Joy - ke6qh - AmprNet IP Address Coordinator for San Bernardino & Riverside Counties. (44.18/16)

4 4

Re: [44net] ISP Router and Pi Cohabitation
by Assi Friedman 05 Apr '16

05 Apr '16

Many of the Linux based routers do allow you to add non-standard rules. It surprised me that the current ASUS family of consumer routers allowed me to configure a porthole for IPIP without having to use the CLI. Assi -----Original Message----- From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: Tuesday, April 05, 2016 11:11 AM To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] ISP Router and Pi Cohabitation (Please trim inclusions from previous messages) _______________________________________________ On Tue, Apr 05, 2016 at 11:05:38AM -0700, Geoff Joy -KE6QH- wrote: > I'm on FiOS (was Verizon now Frontier Comm.) and I'm considering > buying a Pi for ampr.org connection. I'm pretty much stuck with the > Verizon Actiontec MI424WR on the WAN due to ISP requirements and I'm > wondering how it might be best to place the Pi on the LAN. Should it > be in the DMZ or should it stay behind NAT? I'm not familiar with that particular router, but most residential routers don't have a provision for allowing the IPIP protocol through the NAT so you pretty much have to use the DMZ for AMPRNet tunneling. - Brian _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

1 0

Re: [44net] How to config mikrotik router for IPIP (and more)
by Steve L 05 Apr '16

05 Apr '16

Step one would be to create an interactive script that asks some basic questions like your ampr address allocation and sets up the routes and rules. I have been meaning to do this. Sadly winter is pretty much over. I documented the way I did it in pretty good detail: http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html Of course there is more than one way to skin a cat. You don't have to add a USB Nic, you could use a VLAN capable switch for example. That is always the rub, one size may not fit all. I skipped explaining a basic firewall, as I think its a bitch much for most people already, and is documented elsewhere. The best info I had at the time was LX1DUC's info, but I wanted to take explaining certain things a bit more that I initially thought weren't the most clear. http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ http://marc.storck.lu/blog/2013/08/basic-paranoid-iptables-firewall-for-an-… I have found everyone in any aspect of the hobby has a different level of understanding. Writing a disk image to a SD card might be a first timer for someone for example. Then you need to explain that. A good start would be for more people to share details on their gateway setup. >Maybe this is a good opportunity for someone to create a basic distribution >that gets AMPRnet working on a RPi. 8G SD cards are incredibly cheap and >ship well or someone can write the image directly on them. Maybe if it's >packaged, profits could be sent to Brian for gateway maintenance/growth.

1 0

Re: [44net] strange login attempts to AMPR Hosts
by Assi Friedman 05 Apr '16

05 Apr '16

For those of you running Linux, Iptables + Fail2ban work very well against port exploit and brute force attempts. Obviously, it also helps using a mainstream distribution with active maintenance. Assi kk7kx. -----Original Message----- From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Geoff Joy -KE6QH- Sent: Tuesday, April 05, 2016 8:20 AM To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] strange login attempts to AMPR Hosts Probes of IP addresses are VERY common. T ...snip.. Geoff Joy - ke6qh - AmprNet IP Address Coordinator for San Bernardino & Riverside Counties. (44.18/16)

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net