[HamWAN PSDR] Reconfiguring w/ firewall ...

Dean Gibson AE7Q hamwan at ae7q.net
Mon Mar 17 19:47:51 PDT 2014 

OK, part of my problem today was that my window was not all the way 
open;  I found that the wind has blown it partially closed twice today.  
I now have pictures of my temporary antenna setup: 
http://www.ae7q.net/media/5.9GHz-1.jpg and 
http://www.ae7q.net/media/5.9GHz-2.jpg -- The rope is for fine-tuning 
the vertical angle, and the washcloth hung over the front of the servers 
is to block the airflow and keep them from generating low temperature 
alerts with the window open ...

I'm now keeping a connection for a reasonable amount of time (10-15 
minutes, which was also typical last week), and when lost, it comes back 
quickly.  The Russian has apparently given up.

Actually, I had the same quality connection as before when it was 
raining hard.  Perhaps in your case it's not the rain per se, but (as 
you inferred) water loading down the branches and moving them in your RF 
path.

At any rate, my concern is for the future;  I don't need anything 
blocked now.  In a side discussion with someone else, the issue also 
arose as to allowing a non-amateur the ability to transmit (ie, the 
inbound probe) on amateur frequencies without a license.  It's an 
interesting legal point.

On 2014-03-17 12:33, Nigel Vander Houwen wrote:
> Dean
>
> Agreed RE: getting the edge firewalls in place. Cory is right that we 
> don't really want to do it until we have some system in place for 
> users to update their rules, but not knowing how long that will be, 
> perhaps I'll bring up with the admins what we think of having it be 
> manual, and the requests coming via emails for now.
>
> Regarding the connection issues, it's been raining the past couple of 
> days, and coupled with your weaker end signal strength to begin with, 
> that's what's bumping you. In fact the same thing happens to my link. 
> I look through some trees, and when it rains in any significant 
> amount, my link can drop by up to 15db or so (which at that point I 
> lose connection). I wouldn't be surprised as today is supposed to be 
> somewhat dryer, that it comes back today, and then gets lost again as 
> it starts to rain again over the next few days.
>
> RE the firewall, if you like I can set up a block at the edge for you 
> IP now if you prefer, and if so, let me know off list what services 
> you'd like to keep open if any, which should take care of your russian 
> friend.
>
> Nigel K7NVH
>
> On Mar 17, 2014, at 12:13 PM, Dean Gibson AE7Q <hamwan at ae7q.net 
> <mailto:hamwan at ae7q.net>> wrote:
>
>> Well, I think you are going to have to do something about outside 
>> incoming traffic fairly soon.
>>
>> I run "/interface wireless monitor 0", it usually shows the last IP 
>> address of 195.218.200.205 (Russia).  I've got the default radio 
>> firewall enabled, so the only traffic I should see are unsuccessful 
>> port probes (or perhaps ICMP traffic).
>>
>> If I run constant pings, when I set the ping interval to one second, 
>> my pings predominate, but with a ping interval of two seconds or 
>> more, the above IP predominates.
>>
>> I don't know how much data he's sending, but today I'm having a hard 
>> time *keeping any connection*.  I didn't have this problem before 
>> this past weekend, and I've made no configuration or location 
>> change:  This morning, to help reestablishing a connect, I created a 
>> new scan list with only the Paine sector aimed toward me, and I'm 
>> using that to reduce the delay in reconnections.
>>
>> Note that currently I'm not trying to do anything useful; I've got a 
>> poor antenna location (but it did work reasonably well until today).  
>> Hopefully in a day or two, I will have a better (outside and higher) 
>> temporary location.
>>
>> If you temporarily give me a different IP address, I can try that to 
>> see if I'm the only one he's pounding on.  I doubt that I am.
>>
>> -- Dean
>>
>> On 2014-03-16 10:05, Cory (NQ1E) wrote:
>>> The current plan is to block all unsolicited incoming traffic from 
>>> the internet on the edge routers before it gets to the RF portions 
>>> of the network.  However, we don't want to do that until we have 
>>> automation in place to maintain those rules and until we have a 
>>> self-service way for you to poke holes in that configuration should 
>>> you want to allow incoming traffic from the world to one of your IP 
>>> addresses.  If you want to block traffic from all sources (including 
>>> other hams), then adding firewall rules to your own device is the 
>>> correct way to accomplish that.
>>>
>>> The rules are well established for auto-patches that connect voice 
>>> repeaters to the PSTN.  Even incoming telephone calls are allowed as 
>>> long as they are "expected" by the ham.  Because the parallels 
>>> between these systems are fairly clear, the plan above puts us in 
>>> the best position to make sure our users are able to maintain their 
>>> part 97 compliance.
>>>
>>>
>>> On Sat, Mar 15, 2014 at 11:25 PM, Dean Gibson AE7Q <hamwan at ae7q.net 
>>> <mailto:hamwan at ae7q.net>> wrote:
>>>
>>>     OK, after seeing the number of "random" IP addresses hitting the
>>>     radio from outside the 44.0.0.0 net, I didn't like the fact that
>>>     the firewall filters were removed in the web site's suggested
>>>     configuration, so I decided to start from scratch.  I learned a
>>>     couple things ...
>>>
>>>     /# -- Restore the radio to a factory fresh state --//
>>>     ///system reset//
>>>     //
>>>     //# === At this point you must connect via MAC address ===//
>>>     ///user set admin password="This is not it ..."//
>>>     ///console clear-history//
>>>     ///system identity set name="CALL-Paine"//
>>>     //
>>>     ///ip//
>>>     //dns set allow-remote-requests=no//
>>>     //address remove [find]//
>>>     //
>>>     ///ip firewall mangle//
>>>     //add action=change-mss chain=output  new-mss=1378 protocol=tcp
>>>     tcp-flags=syn tcp-mss=!0-1378//
>>>     //add action=change-mss chain=forward new-mss=1378 protocol=tcp
>>>     tcp-flags=syn tcp-mss=!0-1378//
>>>     //
>>>     ///ip dhcp-server//
>>>     //remove [find]//
>>>     //network remove [find]//
>>>     //
>>>     ///ip dhcp-client//
>>>     //add  add-default-route=no dhcp-options=hostname,clientid
>>>     disabled=no interface=ether1 use-peer-dns=no//
>>>     //# -- The following is already configured --//
>>>     //#add add-default-route=yes dhcp-options=hostname,clientid
>>>     disabled=no interface=wlan1//
>>>     //
>>>     //# -- Do the following if you need to move the radio to a
>>>     different network --//
>>>     ///system shutdown//
>>>     //
>>>     //# === At this point you can connect via IP address ===//
>>>     ///system logging//
>>>     //action set remote bsd-syslog=yes remote=my.lcl.log.svr
>>>     remote-port=514 src-address=my.lcl.ether.ip
>>>     syslog-facility=local1 syslog-severity=info//
>>>     //add action=remote disabled=no prefix="" topics=!debug,!snmp
>>>     /
>>>     Note that I have "bsd-syslog" set to "yes".  This *appears to be
>>>     necessary* if you want a remote system to see "syslog-facility"
>>>     and "syslog-severity" (the radio doesn't save/display those
>>>     settings otherwise).
>>>     /
>>>     ///system ntp client set enabled=yes mode=unicast
>>>     primary-ntp=my.lcl.ntp.svr1 secondary-ntp=my.lcl.ntp.svr2//
>>>     //
>>>     ///interface wireless //
>>>     //channels add band=5ghz-onlyn comment="Cell site sector
>>>     centered at 360 degrees" frequency=5920 list=HamWAN
>>>     name="Sector300-060" width=5//
>>>     //channels add band=5ghz-onlyn comment="Cell site sector
>>>     centered at 120 degrees" frequency=5905 list=HamWAN
>>>     name="Sector060-180" width=5//
>>>     //channels add band=5ghz-onlyn comment="Cell site sector
>>>     centered at 240 degrees" frequency=5890 list=HamWAN
>>>     name="Sector180-300" width=5//
>>>     ///delay 5//
>>>     //set 0 radio-name="CALL/Location-Paine"//
>>>     //set 0 disabled=no frequency-mode=superchannel scan-list=HamWAN
>>>     ssid=HamWAN wireless-protocol=nv2//
>>>     //
>>>     ///tool dns-update dns-server=my.lcl.dns.svr key="MD5 key ..."
>>>     key-name=ddns ttl=3600 zone=ae7q.net <http://ae7q.net/>
>>>     name=hamwan-1 address=my.ham.wan.ip//
>>>     ///console clear-history//
>>>     //
>>>     //monitor 0//
>>>     /
>>>     I like my sector names better than just numbers...
>>>
>>>     These "scripts" (when altered) can just be pasted into a command
>>>     window (otherwise the "/delay 5" above is not necessary).
>>>
>>>     Oh, I can sometimes connect through my CLOSED window, but that's
>>>     not reliable enough for anything useful.
>>>
>>>     -- Dean
>>>
>>>
>>>     _______________________________________________
>>>     PSDR mailing list
>>>     PSDR at hamwan.org <mailto:PSDR at hamwan.org>
>>>     http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> PSDR mailing list
>>> PSDR at hamwan.org
>>> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>>
>> _______________________________________________
>> PSDR mailing list
>> PSDR at hamwan.org <mailto:PSDR at hamwan.org>
>> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140317/c7cbf230/attachment.html>

More information about the PSDR mailing list