Ronen, it is a coincidence, and it seems "they" also use some fake ampr addresses in those attacks (e.g. your and mine).
On my gw there is almost no DNS activity, still some spurious responses to supposed requests from my hosts bounce back via the tunnel. But I have a lot of port scanning and connection attempts to shh, telnet, pop3 and other ports.
You will need to learn to live with them.
Regarding filtering: You can not filter that traffic on an upstream router, because that router will see that traffic as IPIP from ampr-gw to you. It will not know what's inside the packet, DNS or something else. So the point to drop it is the actual gateway.
As a general rule: drop EVERYTHING and afterwards open only the ports you need.
Basically this is what you need: Input chain: - accept connections with state "new" from your internal interface - accept connections with state "established" or "related" - drop everything else. Output chain: - accept all Forward chain: - accept connections with state "new" from your internal interface if you want access from internal hosts to de outside - accept connections with state "established" or "related" if you want access from internal hosts to de outside - optional: dst-nat to from a specific port to any internal host if you need port forwarding. - drop everything else
This will keep you on the safe side... Later you can start to add rules to suit your needs (these will stay in place forever...).
-----Original Message----- From: R P Sent: Thursday, April 07, 2016 20:03 To: AMPRNet working group Subject: [44net] firewall rules at AMPR.ORG router ?
(Please trim inclusions from previous messages) _______________________________________________ ... NB i still dont understand what is the point standing behind UDP flood may someone explain me ?
I can understand telnet ftp ssh web attempt but not DNS flood may someone explain it to me ?
one more point I have talked with a friend of myn which his job include networking he have a Fixed IP connected to Cisco ASA Firewall and he doesn't see any DNS attacks in the logs he saw here and there SIP attempts (i see at the 44 Net here also some UDP sip but it is almost 0 comparing the DNS attack) so it look like the DNS is related more to the AMPRNET and not to regular internet
or maybe this is a coincidence
anyway it is something i havent seen on the AMPRNET network we had 20 years ago
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com ________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net