<div dir="auto">Put a firewall filter for in for ports and protocols using encryption. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 16, 2021, 08:42 Steve - WA7PTM <<a href="mailto:psdr-list@aberle.net">psdr-list@aberle.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks Aaron. I fully understand what SSL/TLS is, but am trying to zero <br>
in on how to avoid it on my HamWAN connection. Unfortunately, the <br>
sneaky protocol translations on the back end will only continue, and we <br>
just need to be know which software to stop using when things are not <br>
obvious on the front end.<br>
<br>
Steve<br>
<br>
<br>
Aaron Taggert wrote on 3/16/21 8:26 AM:<br>
> On the authentication/integrity side... FCC says no encryption so we can<br>
> all hear what you're on about. Ham would not be much fun if all you heard<br>
> was encrypted pseudo noise. SSL/TLS authentication is a bit like me sending<br>
> you a list of 100 words and asking you to tell me word 45. Everything is in<br>
> the clear, but I can authenticate that whomever is at the other end at<br>
> least has the right list. Another SSL/TLS feature is integrity, meaning the<br>
> whole message is received. They would be like saying I sent 3421 characters<br>
> CW 786 of them were vowels. Again everybody can hear what we're saying but<br>
> it would be difficult to impersonate the sender (or receiver) or change the<br>
> message.<br>
> <br>
> On Tue, Mar 16, 2021, 6:32 AM Steve - WA7PTM <<a href="mailto:psdr-list@aberle.net" target="_blank" rel="noreferrer">psdr-list@aberle.net</a>> wrote:<br>
> <br>
>> If we separate Winlink (the system) from Winlink Express (the client<br>
>> program), is a SSL connection also the case with the other six clients<br>
>> listed on the <a href="https://winlink.org/ClientSoftware" rel="noreferrer noreferrer" target="_blank">https://winlink.org/ClientSoftware</a> page when used in<br>
>> telnet mode?<br>
>><br>
>> Steve<br>
>><br>
>><br>
>> Scott Currie wrote on 3/15/21 10:06 PM:<br>
>>> Yeah, I discussed this with the WDT, and the issue with using HamWAN or<br>
>>> ARDEN. I had asked if we could force a non-SSL connection to the CMS.<br>
>> They<br>
>>> have been under pressure from AWS to switch to all SSL connections, so<br>
>> they<br>
>>> had to make the change. They did commit to leaving the client or gateway<br>
>>> connection to RMS Relay as non-SSL, so that is why we have suggested<br>
>> having<br>
>>> a regional instance of RMS Relay on HamWAN that the RMS Gateways and<br>
>>> clients could point to. Backend of the RMS Relay would then connect to<br>
>> the<br>
>>> CMS over SSL on a hardened Internet connection (like at a county EOC or<br>
>> the<br>
>>> State EOC), or even HF forwarding if the Internet is down.<br>
>>><br>
>>> -Scott<br>
>>><br>
>>> On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas <<a href="mailto:stephen@kangas.com" target="_blank" rel="noreferrer">stephen@kangas.com</a>><br>
>> wrote:<br>
>>><br>
>>>> Scott, thanks for that update, interesting. “Telnet” is a misnomer in<br>
>>>> this WinLink instance, as that port 22 protocol is historically and<br>
>>>> normally unencrypted, and widely understood in the industry as such<br>
>>>> (whereas SSH is encrypted). It looks like the email client is<br>
>> connecting<br>
>>>> locally to an RMS Relay in that mode, which then connects to the CMS on<br>
>> the<br>
>>>> internet.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> --Stephen W9SK<br>
>>>><br>
>>>><br>
>>>><br>
>>>> *From:* PSDR <<a href="mailto:psdr-bounces@hamwan.org" target="_blank" rel="noreferrer">psdr-bounces@hamwan.org</a>> *On Behalf Of *Scott Currie<br>
>>>> *Sent:* Monday, March 15, 2021 5:56 PM<br>
>>>> *To:* Puget Sound Data Ring <<a href="mailto:psdr@hamwan.org" target="_blank" rel="noreferrer">psdr@hamwan.org</a>><br>
>>>> *Subject:* Re: [HamWAN PSDR] Newbie<br>
>>>><br>
>>>><br>
>>>><br>
>>>> This is not entirely true. Winlink does use TLS/SSL connections for some<br>
>>>> things. The normal telnet connection is now SSL (will fallback to<br>
>> non-SSL<br>
>>>> if the connection fails). Also, RMS Gateway to the CMS is now SSL.<br>
>> Telnet<br>
>>>> P2P and telnet to RMS Relay is not SSL. I believe updates are also SSL<br>
>> now.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Winlink Express Link Test:<br>
>>>><br>
>>>> Test started 2021/03/16 00:52 UTC<br>
>>>><br>
>>>> Testing CMS telnet connection to <a href="http://cms.winlink.org" rel="noreferrer noreferrer" target="_blank">cms.winlink.org</a> through port 8772...<br>
>>>> Successfully connected to a CMS through port 8772 in 253 Milliseconds<br>
>>>><br>
>>>> Testing CMS SSL telnet connection to <a href="http://cms.winlink.org" rel="noreferrer noreferrer" target="_blank">cms.winlink.org</a> through port<br>
>> 8773...<br>
>>>> Successfully connected to a CMS through port 8773 in 311 Milliseconds<br>
>>>><br>
>>>> Testing API service access through port 443 to api.winlink.org...<br>
>>>> Successfully performed API service to <a href="http://api.winlink.org" rel="noreferrer noreferrer" target="_blank">api.winlink.org</a> through port<br>
>> 443<br>
>>>> in 756 Milliseconds<br>
>>>><br>
>>>> Testing Autoupdate server access through port 443 to<br>
>>>> autoupdate2.winlink.org...<br>
>>>> Successfully checked autoupdate server through port 443 in 439<br>
>>>> Milliseconds<br>
>>>><br>
>>>> Testing connection to web site - <a href="http://www.winlink.org:443" rel="noreferrer noreferrer" target="_blank">www.winlink.org:443</a><br>
>>>> Successfully connected to <a href="http://www.winlink.org" rel="noreferrer noreferrer" target="_blank">www.winlink.org</a> through port 443 in 47<br>
>>>> Milliseconds<br>
>>>><br>
>>>> Testing FTP connection to SFI site -<br>
>>>> <a href="ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt" rel="noreferrer noreferrer" target="_blank">ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt</a><br>
>>>> Successfully connected to<br>
>> <a href="ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt" rel="noreferrer noreferrer" target="_blank">ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt</a><br>
>>>> through port 20/21 in 1522 Milliseconds<br>
>>>><br>
>>>> Test completed successfully.<br>
>>>><br>
>>>> -Scott, NS7C<br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Mon, Mar 15, 2021 at 5:45 PM Stephen Kangas <<a href="mailto:stephen@kangas.com" target="_blank" rel="noreferrer">stephen@kangas.com</a>><br>
>> wrote:<br>
>>>><br>
>>>> Phil, an example of the ham band traffic that Kenny mentioned is not<br>
>>>> permitted by the FCC is encrypted communications traffic…this means the<br>
>>>> majority of websites your visit today and many email hosters, since<br>
>>>> websites commonly use TLS/SSL encryption (indicated by “https” in front<br>
>> of<br>
>>>> the URL in your browser address bar) or encrypted settings in your email<br>
>>>> hoster & client. Winlink does NOT use encryption, thus is legal, and is<br>
>>>> the primary application for my ARES team using HamWAN. As Kenny points<br>
>>>> out, certain routers (not inexpensive home models) can be used to split<br>
>>>> that traffic appropriately, but it is not an easy setup unless you have<br>
>> a<br>
>>>> background in data networks or cybersecurity…so it’s far easier to<br>
>> either<br>
>>>> use HamWAN just for your dedicated ARES laptop use or switch a cable<br>
>> back<br>
>>>> and forth using one pipe at a time.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> FWIW, Stephen W9SK<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> *From:* PSDR <<a href="mailto:psdr-bounces@hamwan.org" target="_blank" rel="noreferrer">psdr-bounces@hamwan.org</a>> *On Behalf Of *Kenny Richards<br>
>>>> *Sent:* Monday, March 15, 2021 12:49 PM<br>
>>>> *To:* Puget Sound Data Ring <<a href="mailto:psdr@hamwan.org" target="_blank" rel="noreferrer">psdr@hamwan.org</a>><br>
>>>> *Subject:* Re: [HamWAN PSDR] Newbie<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Just want to add two things to what Carl said already.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> 1) Line of sight means you can actually 'see' the HamWAN node, or at<br>
>> least<br>
>>>> you can with something like a pair of binoculars.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> 2) Remember that HamWAN is not meant to be a replacement for your home<br>
>>>> internet. Be very conscious of what traffic you are putting over<br>
>> HamWAN. I<br>
>>>> don't recommend connecting it to your home network unless you are<br>
>> familiar<br>
>>>> enough with routing rules to limit what traffic goes out the HamWAN<br>
>> link.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Good luck,<br>
>>>><br>
>>>> Kenny, KU7M<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Mon, Mar 15, 2021 at 12:40 PM <<a href="mailto:carl@n7kuw.com" target="_blank" rel="noreferrer">carl@n7kuw.com</a>> wrote:<br>
>>>><br>
>>>> Hi Phil,<br>
>>>><br>
>>>> You can do all of the configuration while on the ground, but obviously<br>
>> you<br>
>>>> won’t have any signal. You don’t indicate what specific equipment you<br>
>> have,<br>
>>>> but if you have the mAnt30 dish and separate router/modem, make sure you<br>
>>>> have the antenna connected before powering it up.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> As to trees, they are an absolute show stopper. You must have clear,<br>
>>>> visual, line of sight to the HamWAN site you are shooting to. Hopefully<br>
>> you<br>
>>>> will have that, or can achieve that, from where you plan to mount the<br>
>>>> dish. As to “just over them”, a microwave shot consists of the direct,<br>
>>>> pure line of sight, but also what is referred to as the Fresnel zone – a<br>
>>>> cigar shaped “balloon” around the pure line of sight. Items in the<br>
>> Fresnel<br>
>>>> zone (including trees) can reduce the amount of signal you have, so you<br>
>> may<br>
>>>> not get optimum performance, but some.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> In your initial post you commented about how to balance between your<br>
>>>> regular internet and HamWAN for a Winlink node. My suggestion would be<br>
>> to<br>
>>>> just leave it on one (whichever one) as the norm, and only switch to the<br>
>>>> other if the one goes down. You can also acquire routers that include<br>
>>>> failover capability to automatically make that switch. You can go more<br>
>>>> advanced with load sharing and such between multiple connections, but<br>
>> that<br>
>>>> requires much better understanding of internet routing, and for a<br>
>> winlink<br>
>>>> node basic failover will serve your purpose.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Good luck, let us know how things turn out.<br>
>>>><br>
>>>> Carl, N7KUW<br>
>>>><br>
>>>><br>
>>>><br>
>>>> *From:* PSDR <<a href="mailto:psdr-bounces@hamwan.org" target="_blank" rel="noreferrer">psdr-bounces@hamwan.org</a>> *On Behalf Of *Phil Cornell via<br>
>>>> PSDR<br>
>>>> *Sent:* Monday, March 15, 2021 12:11 PM<br>
>>>> *To:* <a href="mailto:psdr@hamwan.org" target="_blank" rel="noreferrer">psdr@hamwan.org</a><br>
>>>> *Subject:* [HamWAN PSDR] Newbie<br>
>>>><br>
>>>><br>
>>>><br>
>>>> OK, I figured out my problem and I now have Winbox talking to the radio<br>
>>>> and reporting status. I's not linking to anything since the antenna is<br>
>>>> still on the ground. How much configuration can I do before mounting<br>
>> it on<br>
>>>> my roof. The only question in my sight path may be some trees but I<br>
>> think<br>
>>>> I can aim just over them and get a signal. My friend Bruce/WA7BAM will<br>
>> be<br>
>>>> helping with the antenna installation on Wed afternoon. Making<br>
>> progress...<br>
>>>><br>
>>>><br>
>>>><br>
>>>> *Phil Cornell *<br>
>>>><br>
>>>> *W7PLC *<br>
>>>><br>
>>>> *SHARES NCS590*<br>
>>>><br>
>>>> *Hybrid Gateway W7PLC*<br>
>>>><br>
>>>> *TCARES VP*<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> PSDR mailing list<br>
>>>> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
>>>> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> PSDR mailing list<br>
>>>> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
>>>> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> *-Scott*<br>
>>>> _______________________________________________<br>
>>>> PSDR mailing list<br>
>>>> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
>>>> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
>>>><br>
>>><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> PSDR mailing list<br>
>>> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
>>> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
>>><br>
>> _______________________________________________<br>
>> PSDR mailing list<br>
>> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
>> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
>><br>
> <br>
> <br>
> _______________________________________________<br>
> PSDR mailing list<br>
> <a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
> <a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
> <br>
_______________________________________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank" rel="noreferrer">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.net/mailman/listinfo/psdr" rel="noreferrer noreferrer" target="_blank">http://mail.hamwan.net/mailman/listinfo/psdr</a><br>
</blockquote></div>