On 13/8/21 1:43 am, Rob PE1CHL via 44Net wrote:
In our network we have a firewall at the internet connection that allows all OUTgoing traffic and replies to it, but by default blocks any INcoming connections from internet unless the destination (44.137.x.x) address is on a list of addresses that allows connections from internet.
That's likely to be insufficient. I'm just flagging it as a consideration going forward - each connecting user needs to have full control of the level of Internet connectivity they want, to suit their needs.
So we can have full internet connectivity without the constant portscanning and other unwanted traffic incoming from internet, and we know that most internet traffic is at least initiated by a radio amateur. We only pass traffic for registered IP addresses, for which a responsible callsign is known in the DNS.
Sounds like the UCSD policy - only issue I have with that is the manual process of DNS changes - a deal breaker for me, otherwise it's perfectly fine. But then again, some hosts might need "internal" name resolution, but not Internet access.
Such a firewall is only feasible when there is a single connection point for the internet gateway of a subnet, or at least a single router where all traffic passes through. That should be considered when deciding between "advertise the entire AMPRnet everywhere" or
Yep. some thought needed here.