44net

44net@mailman.ampr.org

3 participants
3195 discussions

Re: [44net] Tunnel mesh is (mostly) down
by Bryan Fields 03 Jan '15

03 Jan '15

On 1/3/15, 11:45 AM, Brian wrote: > On Sat, 2015-01-03 at 08:35 -0800, Eric Fort wrote: > >> > how about eliminating this issue perminantly from ever happening and >> > moving to voluntary peering between gateways. Know thy neighbor and >> > be responsible foryourpeers androutesseems to work really well for >> > everyone else yet amprnet still relies upon route distribution from a >> > single source. > Are you suggesting something such as a possible BGPv2 that all gateways > or designated regional gateways could perhaps tunnel broadcast between > themselves? This would be interesting and may help with other route > issues between those using RIPv2 <-> BGP amprnet sites. Why tunnel at the gateway level?, let the other gateways run BGP. Problem solved. How you get to the gateway could be IPIP, GRE, IPSEC, or you can run BGP yourself. Or even if you have a friendly peering location that lets you put a dish on the roof. Treating this like is some kinda special VPN really holds amprnet back. 73's W9CR -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net

4 3

Re: [44net] Should I worry about this crud coming in via the tunnel?
by Rob Janssen 02 Jan '15

02 Jan '15

> Subject: > [44net] Should I worry about this crud coming in via the tunnel? > From: > Arno Verhoeven <pe1icq(a)vrhvn.nl> > Date: > 01/02/2015 04:11 PM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hi, > > I have been monitoring traffic coming in via the tunnel and am a bit shocked how much bogus (?) traffic comes in from non-44 addresses. Yes, this is quite normal. Imagine how much comes in to the country gateway and gets dropped... The internet is full of people who only want to destroy it and there is not much that can be done about it. People use spoofed sender addresses (their provider should block that but many providers don't care), and others like to scan for all kinds of situations they can abuse, e.g. for DDOS. You need a good firewall. But maybe not what Tom suggests, because that ends your connectivity with the non-44 part of internet. Rob

1 0

Should I worry about this crud coming in via the tunnel?
by Arno Verhoeven 02 Jan '15

02 Jan '15

Hi, I have been monitoring traffic coming in via the tunnel and am a bit shocked how much bogus (?) traffic comes in from non-44 addresses. I have these rules in my firewall script: /usr/sbin/iptables -P INPUT DROP # Drop all traffic coming from Internet addresses via the tunnel to PE1ICQnet, except port 8000:8001 to raspberry pi (Dire Wolf). /usr/sbin/iptables -A INPUT -i ampr0 -s 44.0.0.0/8 -d 44.137.27.123 -p tdp -m multiport --dport 8000:8001 -j ACCEPT /usr/sbin/iptables -A INPUT -i ampr0 ! -s 44.0.0.0/8 -d 44.137.27.112/28 -j DROP When I monitor traffic on the tunnel interface with tcpdump -i ampr0 -vvn then I see a lot of traffic like this: 15:47:54.172385 IP (tos 0x0, ttl 51, id 60643, offset 0, flags [none], proto ICMP (1), length 98) 119.206.12.19 > 44.137.27.125: ICMP 119.206.12.19 udp port 53 unreachable, length 78 IP (tos 0x28, ttl 234, id 31771, offset 0, flags [DF], proto UDP (17), length 70) 44.137.27.125.29327 > 119.206.12.19.53: [udp sum ok] 31771+ A? ocektarhe.www.2015yf.com. (42) Remarkable, because at the moment I do not even have ip address 44.137.27.125 in use on the LAN. How do I need to interpret the above traffic dump? Is it because 44.137.27.125 is spoofed? Is it an attack using bogus domain resolving? (I see a lot of variants in the 2015yf.com domain) Basically, my question is, should I worry? ;-) 73 PE1ICQ // Arno

2 1

Attn. Brian ref IP address.
by trcarswell 27 Dec '14

27 Dec '14

I sent an email over a year ago...(it seems) to remove me from being an IP coord. I guess you missed it. I just got a email for a request...that was over a year old....the guy is pissed... as I would be....lol Pls remove me ...I hope someone can take my place... My wife got sick right after I became the the NC coord. Sorry. Trip - KT4WO

1 0

How to make traffic coming in on the tunnel interface get answered from that interface?
by Arno Verhoeven 27 Dec '14

27 Dec '14

Hi, I am looking for help setting up a conditional routing table. I have my tunnel up and running. I can reach other 44-net host. amrp-ripd is used to fill the routing table. So far so good, but I would like one of the web-sites (apache httpd vhost) to be reachable from both 44-net and non-44-net. If i check with tcpdump I see traffic coming in when I try to access the web-site (pi8zaa.ampr.org) via the Internet (I used my phone connected to t-mobile network). But it doesn't work because my server routes the replies to my ISP's Gw where they get source filtered. Basically I want/need traffic that comes in via the tunnel to get answered from the tunnel interface. I Googled for a solution. Found lots of variant of this http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html but if I understand what is described there correctly, then that is not exactly what I need. Maybe I don't understand iproute2 and its routing table concept correctly. They way I understand it, those examples assume destination routing based on provider subnet, while in my case the destination is on the Internet, and in normal cases should be routed via my ISP except if it came in via the tunnel. Thanks for any help you can offer. 73 PE1ICQ // Arno

8 36

Merry Christmas
by Brian Kantor 25 Dec '14

25 Dec '14

+ XXX XXXXX XXXXXXX XXXXXXXXX "BUON ANNO" "JOYEUX NOEL" "VESELE VANOCE" "MELE KALIKIMAKA" "NODLAG SONA DHUIT" "BLWYDDYN NEWYDD DDA" "GOD JUL" "FELIZ NATAL" "BOAS FESTAS" "FELIZ NAVIDAD" "MERRY CHRISTMAS" "KALA CHRISTOUGENA" "VROLIJK KERSTFEEST" "FROHLICHE WEIHNACHTEN" "BUON NATALE-GODT NYTAR" "HUAN YING SHENG TAN CHIEH" "WESOLYCH SWIAT-SRETAN BOZIC" "MOADIM LESIMHA-LINKSMU KALEDU" "HAUSKAA JOULUA-AID SAID MOUBARK" "'N PRETTIG KERSTMIS" "ONNZLLISTA UUTTA VUOTTA" "Z ROZHDESTYOM KHRYSTOVYM" "NADOLIG LLAWEN-GOTT NYTTSAR" "FELIC NADAL-GOJAN KRISTNASKON" "S NOVYM GODOM-FELIZ ANO NUEVO" "GLEDILEG JOL-NOELINIZ KUTLU OLSUM" "EEN GELUKKIG NIEUWJAAR-SRETAN BOSIC" "KRIHSTLINDJA GEZUAR-KALA CHRISTOUGENA" "SELAMAT HARI NATAL - LAHNINGU NAJU METU" "SARBATORI FERICITE-BUON ANNO" "ZORIONEKO GABON-HRISTOS SE RODI" "BOLDOG KARACSONNY-VESELE VIANOCE " "MERRY CHRISTMAS - - HAPPY NEW YEAR" "ROOMSAID JOULU PUHI -KUNG HO SHENG TEN" "FELICES PASUAS-EIN GLUCKICHES NEWJAHR" "PRIECIGUS ZIEMAN SVETKUS SARBATORI VESLLE" "BONNE ANNEBLWYDDYN NEWYDD DDADRFELIZ NATAL" XXXXX XXXXX XXXXX XXXXXXXXXXXXX Submitted by: Gordon Joly <G.Joly(a)cs.ucl.ac.uk> Nov. 30, 1994

1 0

Seasons Greetings
by Brian 24 Dec '14

24 Dec '14

To those on the list; Happy and memorable holiday wishes to you and your families. The amprnet has gone through many changes and developments bringing it great success. Here's to even more success in 2015 *raises glass of spiked egg nog* cheers! -- If Microsoft intended Windows to be for ham usage, they would have incorporated our protocols into their kernel. 73 de Brian Rogers - N1URO email: <n1uro(a)n1uro.ampr.org> Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.

3 2

Problem with new subnet security policy
by F6CNB 22 Dec '14

22 Dec '14

Hi, I have been running a gateway since 1991 either in Texas or in France. I have a serious problem with the new security policy which does not allow to add a subnet if it is not allocated to you in the portal database. First it is preventing a single gateway to serve multiple hamradios and their subnets. This is completely against the spirit of hamradio. It is also preventing to serve IP addresses which are not registered in the portal.ampr.org. (i.e. HAMNET Europe (44.168.x.x for France) are defined in hamnetdb.net portal. Some 44.76.x.x addresses are not in the portal too but only in the host file) In the Paris area we are developing a HAMNET network using the French allocation 44.168.x.y. This network is using wifi equipments in 2.3 and 5.6GHz hamradio band. There is a single gateway (mine) and a lot of sites/subnet/host and backbones which are not mine of course. I have currently several subnets to add to my gateway but unfortunately I cannot. This is holding the deployment of several sites and applications like DMR repeaters connections thru HAMNET and other. I hope that a solution will be find very quickly. 73 de Remi F6CNB (or W5/F6CNB)

4 3

Re: [44net] ampr-ripd 1.12 released
by Rob Janssen 14 Dec '14

14 Dec '14

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > [44net] ampr-ripd 1.12 released > From: > "Marius Petrescu" <marius(a)yo2loj.ro> > Date: > 11/16/2014 01:36 PM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hello OMs, > > Following the idea from Rob, PE1CHL, I added the possibility to execute a > system command from ampr-ripd if routes are set or changed. > This will happen on startup, after an existing encap is found in > /var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a > change in the encap data (AFTER saving the new encap file if requested). Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and first tests shows it works fine. For the others: I requested this feature to modify a firewall when gateways change address. Before I accepted IPIP packets from everyone, but this is a weakness in the system that maybe could be exploited. I observed rogue IPIP packets from the far east. So instead of: iptables -A firewall -p 4 -j ACCEPT on the incoming interface, I now have: iptables -A firewall -p 4 -j ipipfilter and I have the following script that inserts/updates the ipipfilter list: #!/bin/sh # load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob

3 2

Oops what went wrong
by Erwin 07 Dec '14

07 Dec '14

Hi, Some dutch hams did a great job to bring the Gateway to Holland. Roundtrip time drops to about 17ms now. I wanted to do some tests and logged in into the portal to add a gateway and subnets. Using the portal it didn't succeed to add it and I tried the email robot instead. When I take a look to my gateway address it's in use by Chris, G1FEF. I don't see anything from me in the gateway list now. How solve this problem? 73, Erwin

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net