To those on the list;
Happy and memorable holiday wishes to you and your families. The amprnet
has gone through many changes and developments bringing it great
success. Here's to even more success in 2015 *raises glass of spiked egg
nog* cheers!
--
If Microsoft intended Windows to be for ham usage,
they would have incorporated our protocols into their kernel.
73 de Brian Rogers - N1URO
email: <n1uro(a)n1uro.ampr.org>
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
Hi,
I have been running a gateway since 1991 either in Texas or in France.
I have a serious problem with the new security policy which does not allow
to add a subnet if it is not allocated to you in the portal database.
First it is preventing a single gateway to serve multiple hamradios and
their subnets. This is completely against the spirit of hamradio.
It is also preventing to serve IP addresses which are not registered in the
portal.ampr.org. (i.e. HAMNET Europe (44.168.x.x for France) are defined in
hamnetdb.net portal. Some 44.76.x.x addresses are not in the portal too but
only in the host file)
In the Paris area we are developing a HAMNET network using the French
allocation 44.168.x.y. This network is using wifi equipments in 2.3 and
5.6GHz hamradio band. There is a single gateway (mine) and a lot of
sites/subnet/host and backbones which are not mine of course. I have
currently several subnets to add to my gateway but unfortunately I cannot.
This is holding the deployment of several sites and applications like DMR
repeaters connections thru HAMNET and other.
I hope that a solution will be find very quickly.
73 de Remi F6CNB (or W5/F6CNB)
44net-request(a)hamradio.ucsd.edu wrote:
> Subject:
> [44net] ampr-ripd 1.12 released
> From:
> "Marius Petrescu" <marius(a)yo2loj.ro>
> Date:
> 11/16/2014 01:36 PM
>
> To:
> "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu>
>
>
> Hello OMs,
>
> Following the idea from Rob, PE1CHL, I added the possibility to execute a
> system command from ampr-ripd if routes are set or changed.
> This will happen on startup, after an existing encap is found in
> /var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a
> change in the encap data (AFTER saving the new encap file if requested).
Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and
first tests shows it works fine.
For the others: I requested this feature to modify a firewall when gateways change
address. Before I accepted IPIP packets from everyone, but this is a weakness in the
system that maybe could be exploited. I observed rogue IPIP packets from the far east.
So instead of:
iptables -A firewall -p 4 -j ACCEPT
on the incoming interface, I now have:
iptables -A firewall -p 4 -j ipipfilter
and I have the following script that inserts/updates the ipipfilter list:
#!/bin/sh
# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="169.228.66.251"
gwfile="/tmp/gw"
cd /var/lib/ampr-ripd || exit 1
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile
if iptables -N ipipfilter 2>/dev/null
then
iptables -F ipipfilter
iptables -A ipipfilter -s $AMPRGW -j ACCEPT
while read ip
do
iptables -A ipipfilter -s $ip -j ACCEPT
done <$gwfile
iptables -A ipipfilter -j DROP
else
iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \
while read d ip
do
case "$d" in
">")
iptables -I ipipfilter -s $ip -j ACCEPT
;;
"<")
iptables -D ipipfilter -s $ip -j ACCEPT
;;
*)
;;
esac
done
fi
rm -f $gwfile
The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
option to ampr-ripd. It will load the entire filter the first time, and later it will only update
the filters that have changed. It is required that the -s option is passed as well, so the
encap.txt file is created by ampr-ripd.
Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a
bit safer. (of course sanity checks were already done on the incoming IPIP packets)
Rob
Hi,
Some dutch hams did a great job to bring the Gateway to Holland.
Roundtrip time drops to about 17ms now.
I wanted to do some tests and logged in into the portal to add a gateway
and subnets.
Using the portal it didn't succeed to add it and I tried the email robot
instead.
When I take a look to my gateway address it's in use by Chris, G1FEF.
I don't see anything from me in the gateway list now.
How solve this problem?
73, Erwin
Good afternoon,
in the original layout it was possible to add any network to a gateway.
Now you can only add networks assigned to the account holding the
gateway, at the same time it seems impossible to add a gateway more than
once or to share a gateway between several network holders.
While I agree that users should be unable to add foreign networks to
their gateway, it also creates an issue where several OMs decided to
share 1 single gateway for various reasons.
Can someone please advise how to share a gateway between several
resource holders under the current portal design and logic?
vy 73
--
Marc, LX1DUC
--
www.laru.lu - Luxembourg Amateur Radio Union
www.emcomm.services - Emergency Communication
www.ham-dmr.lu - DMR Infos for HAMs
> Subject:
> Re: [44net] Add network to gateway
> From:
> Chris <chris(a)g1fef.co.uk>
> Date:
> 11/28/2014 08:13 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
> Guys,
>
> The intention was not to cut anyone off, but there were a lot of folk adding 44 networks to gateways that had not been allocated to them, or indeed allocated at all.
Of course that is because your view on "allocated" is different from others'
I think any address that has an entry in the .ampr.org DNS is "allocated".
That it does not have an entry in your list of allocated subnets is a different matter.
> The whole point of the Portal is to document who has been allocated (and is using) what IPs. So the gateway code has been updated to only allow allocated networks to be added to gateways.
I would have considered it better when the work on managing allocations (addresses and DNS entries) had been finished first. But of course it is a hobby project so you can set your own priorities.
Rob
I have implemented an API for accessing the Portal data programatically, if you login and select “API” from the menu there is some info there about it.
So far I have only implemented one function: the ability to retrieve the encap routes.
I would appreciated comments / feedback / suggestions as well as any bug reports.
Thanks,
Chris
> Re: [44net] Bogus route entries
> From:
> "Marius Petrescu" <marius(a)yo2loj.ro>
> Date:
> 11/25/2014 07:26 PM
>
> To:
> "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu>
>
>
> Hello,
>
> With the last apr-ripd version (1.13), this entry (or any other having the
> gateway inside its own subnet) gets ignored and can be direct routed (since
> it is BGP-ed).
> Unlike the entry 44.140.0.0/24 via some public IP which does not work.
> I would prefer to see it as it is via 44.140.0.1...
>
> Marius, YO2LOJ
Ok I must tell I have not yet installed the latest version, I am using 1.12 with the -x option
and I noted this one (as it appears near the top of the list) is coming and going all the time.
I captured a trace and this entry was not among the RIP entries sent at that time.
So the problem is somewhere upstream, not in ampr-ripd.
Next tuesday we will move our gateway to the datacenter of our ISP and we will start doing BGP
routing of 44.137 (permission from ARDC is already obtained), so then I will update ampr-ripd
and see what I can do to have entries like this working OK.
But this time my main question is why is this route changing all the time even when it is not
updated in the portal? (unlike the French one and now a Spanish one where users apparently
are experimenting and do not understand the system so they insert and delete their entry all the
time until it works)
Rob
Can somebody explain why the entry "44.140.0.0/16 via 44.140.0.1" keeps appearing and disappearing?
Of course it was already discussed before that this entry has limited usefulness, but ok when someone wants to
have it, let them (I won't be able to use it).
However, it appearing and not appearing in the routing table in a blinkenlight fashion, while the portal says:
Last modified 2014-04-12 17:46:33
Something is going wrong somewhere, but where?
Rob
> Subject:
> Re: [44net] Attn LX gateway
> From:
> "Marc, LX1DUC" <lx1duc(a)laru.lu>
> Date:
> 11/14/2014 12:25 AM
>
> To:
> 44net(a)hamradio.ucsd.edu
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/11/2014 21:46, Rob Janssen wrote:
>
> As Rob seems to have had issues finding the correct contact email
> address for the IP address mentioned, I thought this might be helpful
> to share with the group:
>
> For IP addresses allocated by RIPE there is the Abuse (Contact) Finder:
> https://apps.db.ripe.net/search/abuse-finder.html
>
> Not each and every network has updated to the latest RIPE policies,
> but it's always worth a shot:-)
>
> 73 de Marc
It is also helpful when some contact or identifying information is present in the
gateway listing on portal.ampr.org.
In this case it only points to a clubstation with an info address, but via that I was
able to get the message forwarded to you.
It would have been helpful when your callsign and/or e-mail had been present
in the portal listing.
73,
Rob
