13 Aug
2021
13 Aug
'21
2:39 a.m.
On 13/8/21 1:43 am, Rob PE1CHL via 44Net wrote:
In our network we have a firewall at the internet
connection that
allows all OUTgoing traffic and replies to it, but by default blocks
any INcoming connections from internet unless the destination
(44.137.x.x) address is on a list of addresses that allows connections
from internet.
That's likely to be insufficient. I'm just flagging it as
a
consideration going forward - each connecting user needs to have full
control of the level of Internet connectivity they want, to suit their
needs.
So we can have full internet connectivity without the
constant
portscanning and other unwanted traffic incoming from internet,
and we know that most internet traffic is at least initiated by a
radio amateur. We only pass traffic for registered IP addresses,
for which a responsible callsign is known in the DNS.
Sounds like the UCSD policy -
only issue I have with that is the manual
process of DNS changes - a deal breaker for me, otherwise it's perfectly
fine. But then again, some hosts might need "internal" name resolution,
but not Internet access.
Such a firewall is only feasible when there is a single connection
point for the internet gateway of a subnet, or at least a single router
where all traffic passes through. That should be considered when
deciding between "advertise the entire AMPRnet everywhere" or
Yep. some
thought needed here.
--
73 de Tony VK3JED/VK3IRL
http://vkradio.com