6 Jun
2015
6 Jun
'15
12:24 a.m.
Maybe we should recommend some outbound firewalling for such known nuisances?
To reduce traffic, drop neighbor discovery and smb as well as MikroTik
Neighbor Discovery Protocol on tunl0 (optional, but a good idea):
iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP
81.174.253.193 2014-02-23 11:14:58 G7UOD
24.85.103.226 2014-05-22 15:26:56 VE7ASS
6 Jun
6 Jun
2:54 a.m.
New subject: Strange Broadcasts...
The iptables solution doesn't apply to Mikrotik equipment since they don't
run Linux.
The Mikrotik Neighbor Discovery Protocol (MNDP) is enabled by default on
newly created IPIP interfaces.
And since there is such an interface for each mesh partner, they are
probable programatically generated by a script.
So the correction has to be be done in that script, to explicitly disable
MNDP for each newly created interface.
But really, isn't this a kind of overreaction to one 149 bytes long packet
every minute?
Marius, YO2LOJ
-----Original Message-----
...
Maybe we should recommend some outbound firewalling for such known
nuisances?
To reduce traffic, drop neighbor discovery and smb as well as MikroTik
Neighbor Discovery Protocol on tunl0 (optional, but a good idea):
iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP
10:21 a.m.
New subject: Strange Broadcasts...
On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
But really, isn't this a kind of overreaction to
one 149 bytes long packet
every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells
you that you have connectivity to this other AMPR gateway. If those
neighbor discovery packets ever stop, you know something has gone
wrong and your tunnel to that gateway is broken. If all gateways ran
this protocol, you could start collecting some health statistics for
the entire network.
Tom KD7LXL
1:14 p.m.
New subject: Strange Broadcasts...
Overreaction, yes, if you consider 149 bytes each minute. But what if
ALL the MikroTic guys were doing exactly the same thing: broadcasting
every minute through every ampr gateway's tunnel? It would, methinks,
turn my tunnel into a total dog's breakfast, making it impossible for me
to monitor the 'real' activity on my system.
Every packet from all the folks I share an axip/udp link with traverses
my tun0, which I monitor. Now add the async discovery broadcasts from
how many MikroTic guys, before the real traffic can no longer be seen
through the 'I'm alive are you alive' clutter?
This is my real concern.
I'm sorry if the terms I use are not in the best networking argot.
73 - jerome - ve7ass
On 2015-06-06 07:21, Tom Hayward wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
But really, isn't this a kind of overreaction
to one 149 bytes long packet
every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells
you that you have connectivity to this other AMPR gateway. If those
neighbor discovery packets ever stop, you know something has gone
wrong and your tunnel to that gateway is broken. If all gateways ran
this protocol, you could start collecting some health statistics for
the entire network.
Tom KD7LXL
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
1:23 p.m.
New subject: Strange Broadcasts...
Honestly, if you’re on the internet and expect to not get random packets, you’re deluding
yourself. And any decent packet capture/analysis program is EASILY capable of filtering on
anything your heart could desire. If you don’t want to see certain traffic, filter it from
your capture results.
On a personal opinion, 44-net and the tunnels are treated too much like a RF system. This
is a network, similar to and attached to the internet, random stuff WILL come across,
attacks will happen, and you’ll communicate like normal. It’s the responsibility of
someone attaching an RF device to the internet to use firewalls or whatever other means to
filter out the cruft as appropriate for their RF service. For example, if you’re in the
US, and use Part 15, then perhaps you don’t care. If you’re on Part 97, then filter out
what you don’t expect.
Complaining on the mailing list about every stray packet one sees (and this is not the
first) uses far more bandwidth than the 149 byte packet, and FAR FAR FAR more of
everyone’s time.
This is the internet, it’s an unexpected packet, that’s expected.
Nigel
On Jun 6, 2015, at 10:14, jerome schatten
<romers(a)shaw.ca> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Overreaction, yes, if you consider 149 bytes each minute. But what if ALL the MikroTic
guys were doing exactly the same thing: broadcasting every minute through every ampr
gateway's tunnel? It would, methinks, turn my tunnel into a total dog's breakfast,
making it impossible for me to monitor the 'real' activity on my system.
Every packet from all the folks I share an axip/udp link with traverses my tun0, which I
monitor. Now add the async discovery broadcasts from how many MikroTic guys, before the
real traffic can no longer be seen through the 'I'm alive are you alive'
clutter?
This is my real concern.
I'm sorry if the terms I use are not in the best networking argot.
73 - jerome - ve7ass
On 2015-06-06 07:21, Tom Hayward wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu <marius(a)yo2loj.ro> wrote:
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net But really, isn't this a kind of overreaction
to one 149 bytes long packet
every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells
you that you have connectivity to this other AMPR gateway. If those
neighbor discovery packets ever stop, you know something has gone
wrong and your tunnel to that gateway is broken. If all gateways ran
this protocol, you could start collecting some health statistics for
the entire network.
Tom KD7LXL
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
8:53 p.m.
New subject: Strange Broadcasts...
On 6/6/15 1:23 PM, Nigel Vander Houwen wrote:
Complaining on the mailing list about every stray
packet one sees (and this
is not the first) uses far more bandwidth than the 149 byte packet, and FAR
FAR FAR more of everyone’s time.
This is the internet, it’s an unexpected packet, that’s expected.
+1
I really can't believe people are logging every single packet across their
network. I mean come on people, don't we have better things to do with our
time. ;-)
73's W9CR
--
Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net
3264
days inactive
3265
days old
5 comments
6 participants
participants (6)
-
Bryan Fields -
jerome schatten -
Marius Petrescu -
Nigel Vander Houwen -
Steve L -
Tom Hayward