Re: [44net] 44Net Digest, Vol 10, Issue 112

Pierre, Coming from twenty years helping various companies connect to the Internet, I find your view of firewalls to not match my own. A firewall can filter at any layer of the network stack (depending on the firewall), but layer 2 and layer 3 firewalls are extremely common... Therefore I look back on you're trying to firewall off a bunch of machines at L3 from the internet at large, while allowing them to speak to the other 44 net machines. I believe we would be better served if that is your goal to write the following rules in whatever ACL / Firewall language your platform allows at the network ingress: Source address 44.0.0.0/9 to any (or more specifically 44.0.0.0/9 & 44.128.0.0/10 if you want those extra rules). Source Address 0.0.0.0/0 drop to any There now your input doesn't allow non 44 net traffic to propagate through your network.... OK, I'm being a little bit simplistic here, but this is what we do in the real world. It is a pure L3 solution. Just like I would do L2 filtering (MAC address level) if I was connected to a ISP on a broadcast medium and only wanted to talk with my upstream provider. In the commercial space groups will publish their addresses mutually with each other to whitelist at the firewalls. I think if there are substantial groups who want to form private networks AMPR being a clearing house of that information is totally appropriate, but it should be up to those groups to control their ingress and egress points, not the network itself. Its job should be to build the backbone and enable connectivity between hams without conflicting address spaces. I have come to view this as a issue a premature optimization. We know where we are now, we know some of the struggles that certain groups are having. But top down solutions tend to have unintended consequences, and become rapidly brittle. Letting groups design their own ingress / egress rules allows them to rapidly iterate. Providing them out of band additional information such as lists of networks that only want to speak to hams, or lists of un-allocated blocks will give them the flexibility to design their rules, and the rest the ability to keep doing what they need to do. Finally, we are still seeing memory and processing power increase with each generation of devices, so we are in no danger of our ham radio network exceeding the basic capacity of most consumer devices, even ones that are on the used market. Best regards, Bill - AF7SJ On 8/16/2021 1:00 PM, 44net-request(a)mailman.ampr.org wrote: