I've made a few small changes to the ipip encap firewall in the UCSD encapsulating router. If something has stopped working today because of that, please let me know. - Brian
May you be kind and publish current Protocoles / Ports that are blocked (if it is not a secret ) ?
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Tuesday, April 18, 2017 8:51 PM To: 44net@hamradio.ucsd.edu Subject: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages) _______________________________________________ I've made a few small changes to the ipip encap firewall in the UCSD encapsulating router. If something has stopped working today because of that, please let me know. - Brian
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
even not 138/139 (MS Network ) ?
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Wednesday, April 19, 2017 1:01 AM To: AMPRNet working group Subject: Re: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages) _______________________________________________ None are blocked currently. - Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
May you be kind and publish current Protocoles / Ports that are blocked (if it is not a secret ) ?
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
No protocols are blocked. A few ports are.
What the firewall does is restrict gatewaying to AMPR hosts that are registered as A records in the AMPR.ORG DNS, and from gateways that are registered in the encap file.
The current rules relevant to the gateway are (BSD ipfw syntax):
03000 allow ipencap from me to any 03100 allow ipencap from table(2) to me 03200 divert 4444 ip from any to table(1) in not dst-port 111,135-139,445,1025-1028,1900,2323,5353,7547 03300 allow ip from table(1) to any
What this means is
3000: allow all packets encapsulated by the gateway out to anywhere
3100: allow inbound encap'd packets from registered gateways
3200: send incoming packets destined for registered hosts to the encapsulator except destination ports 111,135-139,445,1025-1028,1900,2323,5353,7547
3300: allow outgoing decapsulated packets from registered hosts out
- Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
May you be kind and publish current Protocoles / Ports that are blocked (if it is not a secret ) ?
May you explain what is 1025-1028 and 2323 use for ? i havnt found it use in the net
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Wednesday, April 19, 2017 1:27 AM To: AMPRNet working group Subject: Re: [44net] UCSD ipip gateway firewall updated
(Please trim inclusions from previous messages) _______________________________________________ No protocols are blocked. A few ports are.
What the firewall does is restrict gatewaying to AMPR hosts that are registered as A records in the AMPR.ORG DNS, and from gateways that are registered in the encap file.
The current rules relevant to the gateway are (BSD ipfw syntax):
03000 allow ipencap from me to any 03100 allow ipencap from table(2) to me 03200 divert 4444 ip from any to table(1) in not dst-port 111,135-139,445,1025-1028,1900,2323,5353,7547 03300 allow ip from table(1) to any
What this means is
3000: allow all packets encapsulated by the gateway out to anywhere
3100: allow inbound encap'd packets from registered gateways
3200: send incoming packets destined for registered hosts to the encapsulator except destination ports 111,135-139,445,1025-1028,1900,2323,5353,7547
3300: allow outgoing decapsulated packets from registered hosts out
- Brian
On Wed, Apr 19, 2017 at 07:58:26AM +0000, R P wrote:
May you be kind and publish current Protocoles / Ports that are blocked (if it is not a secret ) ?
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Ronen,
Ports 1025-1028 are "special" ports and alternatives for ports under <= 1024 in some operating systems (and might still be ran by root). Port 2323 is often used as a "Telnet alternative." It's also possible that compromised IoT machines were commanded to open services on those ports.
I noted in an earlier email that I had netflow data...those ports came up very often...and were blocked by my device.
Have you observed anything from your node?
- Lynwood
May you explain what is 1025-1028 and 2323 use for ? i havnt found it use in the net
1025-1028 were known Windows vulnerabilities in older versions of the OS.
The Mirai IoT malware botnet uses 2323; it's so widespread that blocking it seemed wise.
www.speedguide.net does a thorough job of listing what ports are used (and misused) for. - Brian
On Wed, Apr 19, 2017 at 09:57:10AM +0000, R P wrote:
May you explain what is 1025-1028 and 2323 use for ? i havnt found it use in the net
-
Brian Kantor -
lleachii@aol.com -
R P