On 8/13/21 8:39 AM, Tony Langdon via 44Net wrote:
On 13/8/21 1:43 am, Rob PE1CHL via 44Net wrote:
In our network we have a firewall at the internet connection that allows all OUTgoing traffic and replies to it, but by default blocks any INcoming connections from internet unless the destination (44.137.x.x) address is on a list of addresses that allows connections from internet.
That's likely to be insufficient. I'm just flagging it as a consideration going forward - each connecting user needs to have full control of the level of Internet connectivity they want, to suit their needs.
Of course they have. They can apply whatever filter they deem necessary on their own router. They can submit their request to have incoming internet traffic and be registered in the address list, and then still drop anything else than what they want to handle.
No need to bring up "but what if the user does not know how to do that, or what if they do not have a router which can do that" because in that case they will not request the internet traffic and by default they won't have it.
Sure the implementation could also allow some different classes e.g. - only some wellknown hamradio services - webserver - ... - everything
It would make it more complex but it could reduce the amount of traffic unnecessarily forwarded to users (over slow links).
We also have a "trapdoor" firewall that automatically blocks source addresses that "portscan" 44.137.x.x subnets that are not allocated. So those pesky "researchers" are automatically blocked the first time they hit an unallocated subnet, and as they do their research without first checking how the space is used, that is usually quite quickly. (there are typically about 70000 addresses in that automatic list) Incoming traffic from these addresses is not forwarded at all.
Rob