18 Apr
2017
18 Apr
'17
11:51 p.m.
I've made a few small changes to the ipip encap firewall in
the UCSD encapsulating router. If something has stopped working
today because of that, please let me know.
- Brian
19 Apr
19 Apr
3:58 a.m.
May you be kind and publish current Protocoles / Ports that are blocked (if it is not a
secret ) ?
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Tuesday, April 18, 2017 8:51 PM
To: 44net(a)hamradio.ucsd.edu
Subject: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages)
_______________________________________________
I've made a few small changes to the ipip encap firewall in
the UCSD encapsulating router. If something has stopped working
today because of that, please let me know.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:04 a.m.
even not 138/139 (MS Network ) ?
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Wednesday, April 19, 2017 1:01 AM
To: AMPRNet working group
Subject: Re: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages)
_______________________________________________
None are blocked currently.
- Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
May you be kind and publish current Protocoles / Ports
that are blocked (if it is not a secret ) ?
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:27 a.m.
No protocols are blocked. A few ports are.
What the firewall does is restrict gatewaying to AMPR hosts that are
registered as A records in the AMPR.ORG DNS, and from gateways that are
registered in the encap file.
The current rules relevant to the gateway are (BSD ipfw syntax):
03000 allow ipencap from me to any
03100 allow ipencap from table(2) to me
03200 divert 4444 ip from any to table(1) in not dst-port
111,135-139,445,1025-1028,1900,2323,5353,7547
03300 allow ip from table(1) to any
What this means is
3000: allow all packets encapsulated by the gateway out to anywhere
3100: allow inbound encap'd packets from registered gateways
3200: send incoming packets destined for registered hosts to the encapsulator
except destination ports 111,135-139,445,1025-1028,1900,2323,5353,7547
3300: allow outgoing decapsulated packets from registered hosts out
- Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
> May you be kind and publish current Protocoles / Ports that are blocked (if it is
not a secret ) ?
5:57 a.m.
May you explain what is 1025-1028 and 2323 use for ? i havnt found it use in the
net
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Wednesday, April 19, 2017 1:27 AM
To: AMPRNet working group
Subject: Re: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages)
_______________________________________________
No protocols are blocked. A few ports are.
What the firewall does is restrict gatewaying to AMPR hosts that are
registered as A records in the AMPR.ORG DNS, and from gateways that are
registered in the encap file.
The current rules relevant to the gateway are (BSD ipfw syntax):
03000 allow ipencap from me to any
03100 allow ipencap from table(2) to me
03200 divert 4444 ip from any to table(1) in not dst-port
111,135-139,445,1025-1028,1900,2323,5353,7547
03300 allow ip from table(1) to any
What this means is
3000: allow all packets encapsulated by the gateway out to anywhere
3100: allow inbound encap'd packets from registered gateways
3200: send incoming packets destined for registered hosts to the encapsulator
except destination ports 111,135-139,445,1025-1028,1900,2323,5353,7547
3300: allow outgoing decapsulated packets from registered hosts out
- Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
> May you be kind and publish current Protocoles / Ports that are blocked (if it is
not a secret ) ?
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
8:01 a.m.
Ronen,
Ports 1025-1028 are "special" ports and alternatives for ports under <=
1024 in some operating systems (and might still be ran by root). Port
2323 is often used as a "Telnet alternative." It's also possible that
compromised IoT machines were commanded to open services on those ports.
I noted in an earlier email that I had netflow data...those ports came
up very often...and were blocked by my device.
Have you observed anything from your node?
- Lynwood
May you explain what is 1025-1028 and 2323 use for ? i havnt found it use in the
net
9:01 a.m.
1025-1028 were known Windows vulnerabilities in older versions of the OS.
The Mirai IoT malware botnet uses 2323; it's so widespread that blocking it
seemed wise.
www.speedguide.net does a thorough job of listing what ports are
used (and misused) for.
- Brian
On Wed, Apr 19, 2017 at 09:57:10AM +0000, R P wrote:
May you explain what is 1025-1028 and 2323 use
for ? i havnt found it use in the net
2586
days inactive
2586
days old
7 comments
3 participants
participants (3)
-
Brian Kantor -
lleachii@aol.com -
R P