13 Aug
2021
13 Aug
'21
3:08 a.m.
On 8/13/21 8:39 AM, Tony Langdon via 44Net wrote:
On 13/8/21 1:43 am, Rob PE1CHL via 44Net wrote:
Of course they have. They can apply whatever filter they deem necessary
on their own router. They can submit their request to have incoming internet
traffic and be registered in the address list, and then still drop anything else
than what they want to handle.
No need to bring up "but what if the user does not know how to do that,
or what if they do not have a router which can do that" because in that
case they will not request the internet traffic and by default they won't have it.
Sure the implementation could also allow some different classes e.g.
- only some wellknown hamradio services
- webserver
- ...
- everything
It would make it more complex but it could reduce the amount of traffic
unnecessarily forwarded to users (over slow links).
We also have a "trapdoor" firewall that automatically blocks source
addresses that "portscan" 44.137.x.x subnets that are not allocated.
So those pesky "researchers" are automatically blocked the first time
they hit an unallocated subnet, and as they do their research without
first checking how the space is used, that is usually quite quickly.
(there are typically about 70000 addresses in that automatic list)
Incoming traffic from these addresses is not forwarded at all.
Rob
In our network we have a firewall at the internet
connection that
allows all OUTgoing traffic and replies to it, but by default blocks
any INcoming connections from internet unless the destination
(44.137.x.x) address is on a list of addresses that allows connections
from internet.
That's likely to be insufficient. I'm just flagging it as
a
consideration going forward - each connecting user needs to have full
control of the level of Internet connectivity they want, to suit their
needs.