[HamWAN PSDR] Reconfiguring w/ firewall ...
Cory (NQ1E)
cory at nq1e.hm
Sun Mar 16 10:05:43 PDT 2014
The current plan is to block all unsolicited incoming traffic from the
internet on the edge routers before it gets to the RF portions of the
network. However, we don't want to do that until we have automation in
place to maintain those rules and until we have a self-service way for you
to poke holes in that configuration should you want to allow incoming
traffic from the world to one of your IP addresses. If you want to block
traffic from all sources (including other hams), then adding firewall rules
to your own device is the correct way to accomplish that.
The rules are well established for auto-patches that connect voice
repeaters to the PSTN. Even incoming telephone calls are allowed as long
as they are "expected" by the ham. Because the parallels between these
systems are fairly clear, the plan above puts us in the best position to
make sure our users are able to maintain their part 97 compliance.
On Sat, Mar 15, 2014 at 11:25 PM, Dean Gibson AE7Q <hamwan at ae7q.net> wrote:
> OK, after seeing the number of "random" IP addresses hitting the radio
> from outside the 44.0.0.0 net, I didn't like the fact that the firewall
> filters were removed in the web site's suggested configuration, so I
> decided to start from scratch. I learned a couple things ...
>
> *# -- Restore the radio to a factory fresh state --*
> */system reset*
>
> *# === At this point you must connect via MAC address ===*
> */user set admin password="This is not it ..."*
> */console clear-history*
> */system identity set name="CALL-Paine"*
>
> */ip*
> *dns set allow-remote-requests=no*
> *address remove [find]*
>
> */ip firewall mangle*
> *add action=change-mss chain=output new-mss=1378 protocol=tcp
> tcp-flags=syn tcp-mss=!0-1378*
> *add action=change-mss chain=forward new-mss=1378 protocol=tcp
> tcp-flags=syn tcp-mss=!0-1378*
>
> */ip dhcp-server*
> *remove [find]*
> *network remove [find]*
>
> */ip dhcp-client*
> *add add-default-route=no dhcp-options=hostname,clientid disabled=no
> interface=ether1 use-peer-dns=no*
> *# -- The following is already configured --*
> *#add add-default-route=yes dhcp-options=hostname,clientid disabled=no
> interface=wlan1*
>
> *# -- Do the following if you need to move the radio to a different
> network --*
> */system shutdown*
>
> *# === At this point you can connect via IP address ===*
> */system logging*
> *action set remote bsd-syslog=yes remote=my.lcl.log.svr remote-port=514
> src-address=my.lcl.ether.ip syslog-facility=local1 syslog-severity=info*
>
> *add action=remote disabled=no prefix="" topics=!debug,!snmp *
> Note that I have "bsd-syslog" set to "yes". This *appears to be
> necessary* if you want a remote system to see "syslog-facility" and
> "syslog-severity" (the radio doesn't save/display those settings otherwise).
>
> */system ntp client set enabled=yes mode=unicast
> primary-ntp=my.lcl.ntp.svr1 secondary-ntp=my.lcl.ntp.svr2*
>
> */interface wireless *
> *channels add band=5ghz-onlyn comment="Cell site sector centered at 360
> degrees" frequency=5920 list=HamWAN name="Sector300-060" width=5*
> *channels add band=5ghz-onlyn comment="Cell site sector centered at 120
> degrees" frequency=5905 list=HamWAN name="Sector060-180" width=5*
> *channels add band=5ghz-onlyn comment="Cell site sector centered at 240
> degrees" frequency=5890 list=HamWAN name="Sector180-300" width=5*
> */delay 5*
> *set 0 radio-name="CALL/Location-Paine"*
> *set 0 disabled=no frequency-mode=superchannel scan-list=HamWAN
> ssid=HamWAN wireless-protocol=nv2*
>
> */tool dns-update dns-server=my.lcl.dns.svr key="MD5 key ..."
> key-name=ddns ttl=3600 zone=ae7q.net <http://ae7q.net> name=hamwan-1
> address=my.ham.wan.ip*
> */console clear-history*
>
> *monitor 0*
>
> I like my sector names better than just numbers...
>
> These "scripts" (when altered) can just be pasted into a command window
> (otherwise the "/delay 5" above is not necessary).
>
> Oh, I can sometimes connect through my CLOSED window, but that's not
> reliable enough for anything useful.
>
> -- Dean
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140316/8de8328a/attachment.html>
More information about the PSDR
mailing list