Greetings Peter (et al), Here is the 'autoexec.nos' I run here on Hamgate.Washtenaw.AMPR.org. At the bottom, I have included the 'access.rc' TCP and IP access firewall rules. This 'autoexec.nos' is used on a DOS machine. It will require a few tweeks to have it run on a Linux box. Enjoy! --- Jay WB8TKL # autoexec.nos # # 040821 tkl - first cut # 040822 tkl - Adding ETH0 # 040825 tkl - Added AX1 # tkl - Configured to work with NOS110 version as well as 111 # 041206 tkl - Also works with JNOS2.0a (for DOS) # 051104 tkl - Including a better access.rc firewall # 060305 tkl - Configured as new YPSI Hamgate (access3.rc local.rte) # 080604 tkl - HG.LIV now CONV links to us (rather than us to him) # Also changed 'smtp timer 900' (was 300) # 'smtp maxclients 4' (was default of 10) # And changed 145.76 interface to 144.93 # 080911 tkl - Changed TCP SYNDATA to off (cheap routes won't pass SYNDATA) # Moved ann SMTP and BBS Mail settings into /nos/etc/mail.cfg # 090320 tkl - Removed conv link to Monroe (they link to us now) # 100309 tkl - Added link to MICONV # 100315 tkl - Using experimental nos2a-nr.exe # Modified autoexec.nos to support NetROM (MIYPSI WB8TKL-7) # 120418 tkl - Changed eth0 from 216.144.208.44 to 216.86.85.144 # = Chamged nameserver from 216.144.208.67 to 216.86.85.167 # # ######################################## ### Memory and System Configs ### ######################################## isat yes watchdog yes mem minalloc 32 mem ibufsize 2048 mem nibufs 7 mem debug on echo "***** Memory configured *****" pause 2 ######################################## ### Station Indentity ### ######################################## ax25 mycall wb8tkl-4 ax25 ttycall wb8tkl-5 ax25 bbscall wb8tkl-3 ax25 alias YPSI hostname HamGate.Washtenaw.AMPR.org ip address 44.102.1.1 ax25 bctext "WB8TKL-3 (YPSI) Washtenaw County AX25 & TCP/IP HamGate [www.MI-DRG.org]" # ######################################## ### Global AX.25 Parameters ### ######################################## ax25 version 2 ax25 maxframe 1 ax25 retries 10 ax25 pacl 200 ax25 window 1024 ax25 irtt 4000 ax25 timer linear ax25 t3 0 ax25 t4 1200 ax25 maxwait 9000 # ######################################## ### Global TCP/IP Parameters ### ######################################## tcp timertype linear tcp maxwait 9000 tcp retries 32 tcp window 864 tcp blimit 20 tcp irtt 4000 tcp mss 512 tcp syndata off # ip ttl 225 ip rt 4 # ######################################## ### Port Attaches ### ######################################## attach packet 60 eth0 11 1500 attach asy 0x3f8 4 ax25 144.93 576 256 9600 f1 ##attach asy 0x2f8 3 ax25 223.40 576 256 4800 f1 # attach netrom # echo "***** Attaches completed *****" pause 2 # ######################################## ### Configure the Interfaces ### ######################################## # # ETHERNET ifconfig eth0 ipaddress 216.86.85.144 ifconfig eth0 netmask 255.255.255.0 ifconfig eth0 broadcast 216.86.85.255 ifconfig eth0 descript "Ethernet to the Internet" # ifconfig eth0 tcp win 1024 ifconfig eth0 tcp irtt 50 ifconfig eth0 tcp maxw 150 ifconfig eth0 tcp mss 512 echo "***** Ethernet configured *****" pause 2 # # ENCAP ifconfig encap ipaddress 44.102.1.1 ifconfig encap netmask 255.255.255.255 ifconfig encap broadcast 255.255.255.255 ifconfig encap description "IPIP Encapsulation interface" echo "***** ENCAP configured *****" pause 2 # # COM1 [144.93] ifconfig 144.93 descript "144.93 MHz AX.25/IP Local Access port" ifconfig 144.93 netmask 0xffffff00 param 144.93 up #130 (129 = down) param 144.93 1 100 #1 Transmit delay param 144.93 2 128 #2 Persistance param 144.93 3 10 #3 Slot time param 144.93 4 10 #4 param 144.93 5 0 #5 0=half 1=full duplex param 144.93 8 1 #8 dtr param 144.93 9 1 #9 rts # # COM2 [223.40] ##ifconfig 223.40 descript "223.40 MHz 1200 baud District-2south Backbone Network" ##ifconfig 223.40 netmask 0xffffff00 ##param 223.40 up ##param 223.40 1 30 ##param 223.40 2 128 ##param 223.40 3 10 ##param 223.40 4 10 ##param 223.40 5 0 ##param 223.40 8 1 ##param 223.40 9 1 # # COM3 [phone] ##attach asy 0x3e8 5 slip phone 2048 576 19200 v ##param phone up # echo "***** IFconfig & Param completed *****" pause 2 # ################### ### NetROM ## ################### start netrom pause 2 # netrom alias MIYPSI netrom call wb8tkl-7 # mode netrom vc netrom minquality 10 # netrom interface 144.93 192 netrom bcnodes 144.93 netrom bcpoll 144.93 pause 2 # netrom acktime 3000 netrom choketime 180000 # netrom derate on netrom hidden off netrom promiscuous off # netrom retries 10 ##netrom tdisc 0 netrom ttl 10 netrom window 4 # netrom timertype linear netrom irtt 15000 netrom nodetimer 1800 netrom obsotimer 2100 netrom qlimit 2048 # ###netrom verbose on ##netrom kick # echo "***** NetROM configured *****" # ######################################## ### Services ### ######################################## start ax25 start telnet start smtp start ttylink start convers start ftp start forward start finger start pop3 start remote ##start http 80 ##start http 8080 echo "***** Services Started *****" pause 2 # ######################################## ### Digipeating, JHeard, Beacons ## ######################################## ax25 bcinterval 1900 ax25 hsize 30 # ax25 bcport 144.93 on ax25 digi 144.93 on ax25 hport 144.93 on # ##ax25 bcport 223.40 on ##ax25 digi 223.40 on ##ax25 hport 223.40 on # ip hsize 30 ip hport 144.93 on ##ip hport 223.40 on ##pause 2 # ########################### ### ARP Settings ### ########################### ##arp eaves eth0 on arp eaves 144.93 on ##arp eaves 223.40 on # arp poll eth0 on arp poll 144.93 on ##arp poll 223.40 on arp maxq 10 # ##arp publish 44.102.1.72 ax25 ka8pog-4 145.76 ##arp publish 44.102.1.42 ax25 ka8pog-4 145.76 # ######################################### ### Domain Name Service (DNS) ### ######################################### domain dns on domain suffix ampr.org. domain add 216.86.85.167 domain ret 2 domain maxw 60 domain translate off # domain verbose yes domain cache clean off domain cache wait 330 domain cache size 15 # cache for 5.7 days domain ttl 500000 # echo "***** Resolver configured *****" pause 2 ######################################## ### CONVerse Bridge ### ######################################## conv hostname WASHTENAW conv channel 81 conv mycall wb8tkl-6 conv interface 144.93 on # ##conv filter mode accept ##conv filter 44.102.24.1 ##conv filter 44.102.56.1 # ###conv link 44.102.24.1 3600 LIVINGSTON ###conv link 44.102.238.1 3600 ALCONA ###conv link 44.102.56.1 3600 MONROE conv link 44.102.135.1 3600 MICONV # conv maxwait 600 # ######################################## ### SMTP & BBS Mail ### ######################################## source /nos/etc/mail.cfg echo "***** /nos/etc/mail.cfg sourced *****" pause 2 # ######################################## ### Routing Tables ### ######################################## source /nos/encap.txt echo "***** /nos/encap.txt sourced *****" # source /nos/etc/local.rte echo "***** /nos/etc/local.rte sourced *****" # # Gateway through a neighboring station ##route add 44.102.1.220 145.76 44.102.48.88 ##route add 44.102.1.50 145.76 44.102.1.32 # # AX25 ROUTES ##ax25 route perm wa8efk 145.76 wpxd ##ax25 route perm n8kuf 145.76 wpxd # pause 2 ######################################## ### Firewall Rules ### ######################################## source /nos/access3.rc echo "***** /nos/access3.rc sourced *****" ##echo "#### no access.rc ###" pause 2 # ######################################## ### Passwords ### ######################################## mbox password "12345" remote -s PURPLE # ######################################## ### Miscellanious ### ######################################## source /nos/scripts/fkeys.scr echo "***** /nos/scripts/fkeys.scr sourced *****" ##pause 5 # trace 144.93 111 trace netrom 0211 strace on # history 15 watchdog on log on # # ---end--- # # Gateways-Access-FAQ # # /nos/access3.rc # # 20080604 tkl - Change interface to 144.93 # # # Start of ACCESS.RC file # *********************** # NB: The IP ACCESS and TCP ACCESS frame work is based on IP ACCESS and TCP # ACCESS control files shown below written by VE3RKS at VE3UOW and by # VE3PNX at VE3RPI. # # - This file should be sourced into your autoexec.nos file after all ports # have been attached and defined. # - This file also contains a handy summary of what TCP/UDP ports are # commonly used. # - This file contains information on the use of TCP ACCESS and IP ACCESS # - All lines begin with # symbols. This is to allow this file to be # sourced into your autoexec.nos after being edited for you specific setup. # Lines that do not begin with # symbols are valid NOS IP and TCP ACCESS # commands. # # Ports of interest for both UDP and TCP # ************************************** # 1 - 3599 - SERVER PORTS limit access based on local rules UDP and TCP # #*************************************************************************** # 7 - ECHO # 9 - DISCARD # 20 - FTP-DATA # 21 - FTP-CONTROL # 23 - TELNET # 25 - SMTP # 57 - SECONDARY TELNET # 67 - BOOTP # 79 - FINGER # 87 - TTYLINK [Operator chat] # 97 - AXIP/IPIP/IPTUNNEL # 109 - POP2 # 110 - POP3 # 119 - NNTP # 513 - RLOGIN/RWHO # 525 - TIME DAEMON # 1234 - REMOTE # 1235 - CALLSIGN DB # 3600 - CONVERS [Only AMPR.ORG domain should have access] # 3601 - LZW CONVERS [Only AMPR.ORG domain should have access] # #*************************************************************************** # 1050 - 32768 - REPLY PORTS should be accessable to all <= very important # #*************************************************************************** # # TCP ACCESS # ********** # TCP ACCESS is used to limit access to certain servers accessable by # TCP/TELNET to specific ports. For example you may want to allow # access to the SMTP server in your machine from all machines AMATEUR # and NON-AMATEUR. # # TCP access stops a connection to a server from being built at only # the machine at which it is installed. If you want to stop a gateway # from routing TCP/IP packets from specific addresses to specific # addresses you need to use the IP ACCESS code! # # TCP ACCESS WHAT FROM LOW HIGH # ### ###### ###### ############### ##### ##### # # Permit all AMPR.ORG and LOCAL domains to ports 1 - 3601 tcp access permit 44/8 1 3601 tcp access permit 127.0.0.1 1 3601 # # Do NOT allow inbound SMTP connectins from the Internet tcp access deny all 25 25 # # Permit all to ports 1 - 3599 tcp access permit all 1 3599 # # Permit all access to ports 3602 - 32768 tcp access permit all 3602 32768 # # Deny all access to CONVERS ports 3600 and 3601 tcp access deny all 3600 3601 # # # NOTES: The preceding TCP ACCESS code is read in order. TOP down! # Order is important. In reading from top down the first rule that # satisfies the origination address and port requirments is the one # used. So you should place excludes before includes for specific # originating addresses then followed by global [all] includes or # excludes. # # Example: # tcp access permit all 1 32768 # tcp access deny 167.23.43.1 3600 3601 <= should be first line # # This would not deny 167.23.43.1 access to convers server as the first # rule would satisfy the test to allow, but reversing the order would! # # # IP ACCESS # ********* # IP ACCESS is an important bit of code for a INTERNET/AMPRnet Gateway # as it can be used to selectively allow or disallow the routing of # TCP/IP packets based on source ip address, destination ip address, # packet type [udp/tcp/..], UDP or TCP port number and interface port. # # For most gateways you would like to only pass AMPR.ORG originated # ip address to other AMPR.ORG ip address (like UK and AUSTRALIAN LAW). # Exceptions might be where local law allows Amateurs to originate to # anywhere (including non-amateur destinations) as the replys are # technically under the control of the originator (like USA and CANADIAN # law). # # The idea behind IP ACCESS is to set up rules that will allow or deny # routing of packets. Unlike the TCP ACCESS command, IP ACCESS does not # restrict access to servers at the machine that is running this code. It # does however restrict the gatewaying of IP packets accross interface # ports. # # Valid PROTOCOLS are ICMP, UDP, TCP, and ANY (every thing else). Both # ICMP and ANY do not allow specific port restrictions as port numbers # are not really used for the other TCP/IP protocols. # # WHAT = <permit | deny | delete> # PROT = <tcp | icmp | udp | any> # PORT = ATTACHED INTERFACE/PORT # LOW = TCP or UDP low port number # HIGH = TCP or UDP high port number # # Below I use the following pseudo PORT names: # AX0 = ax25 rf port # AX1 = ax25 rf port # AX3 = AXIP psuedo ax25 port # BBS = SLIP port to an attached bbs # MODEM = SLIP port to a telphone modem # ETH0 = PACKET interface to ethernet card # ENCAP = ENCAP routing interface # # # IP ACCESS WHAT PROT SOURCE DESTINATION PORT low high # ## ###### ###### #### ############# ############### ##### ###### ###### ip access permit icmp 44/8 all 144.93 1 32768 ### ip access permit icmp 44/8 all 147.58 1 32768 # ip access permit icmp all all ax3 1 32768 # ip access permit icmp all all bbs 1 32768 ip access permit icmp all all eth0 1 32768 ip access permit icmp all all encap 1 32768 # ip access permit icmp all all modem 1 32768 # ip access permit udp 44/8 all 144.93 1 32768 ### ip access permit udp 44/8 all 147.58 1 32768 # # ip access permit udp all 44.bbb.ccc.ddd ax2 1 32768 # The above line allow a machine 44.bbb.ccc.ddd to receive UDP datagrams # from any source over a channel that would normally only allow 44/8 sources # # ip access permit udp all all ax3 1 32768 # ip access permit udp all all bbs 1 32768 ip access permit udp all all eth0 1 32768 ip access permit udp all all encap 1 32768 # ip access permit udp all all modem 1 32768 # # TCP will allow TCP client-server packets to be passed # ip access permit tcp 44/8 all 144.93 1 32768 ip access permit tcp all 44/8 144.93 1000 3599 ip access permit tcp all 44/8 144.93 3602 32768 ### ip access permit tcp 44/8 all 147.58 1 32768 # # ip access permit tcp all 44.bbb.ccc.ddd ax1 25 25 # The above line allow a machine 44.bbb.ccc.ddd to receive incoming SMTP # from any source over a channel that would normally only allow 44/8 sources # # ip access permit tcp all all ax3 1 32768 # ip access permit tcp all all bbs 1 32768 ip access permit tcp all all eth0 1 32768 ip access permit tcp all all encap 1 32768 # ip access permit tcp all all modem 1 32768 # # ANY will allow AXIP, IPIP etc! # # ip access permit any 44/8 44.bbb.ccc.ddd ax1 1 32768 # The above line allow a machine 44.bbb.ccc.ddd to receive incoming axip # from 44/8 sources over a channel that would normally not allow axip # # ip access permit any all all ax3 1 32768 # ip access permit any all all bbs 1 32768 ip access permit any all all eth0 1 32768 ip access permit any all all encap 1 32768 # ip access permit any all all modem 1 32768 # # IP ACCESS WHAT PROT SOURCE DESTINATION PORT low high # # Allow FINGER (port 79) from monitor.nuge.com to any ip access permit any 216.86.85.228 all 144.93 79 # # Block anything from AMPRGW/Mirrorshades (such as RIP2 updates) ip access deny any 169.228.66.251 all eth0 1 32768 # # The default rule is to deny all that are not allowed above. # # # ---end of file access.rc--- #