|
G4APL > PACKET 07.01.19 19:54l 95 Lines 3492 Bytes #999 (0) @ WW
BID : 33151G4APL
Read: GUEST
Subj: Re: G4APL > Re: Node excessive Broadcasts
Path: IW8PGT<IR2UBX<SR1BSZ<F1OYP<ON0AR<GB7CIP<GB7CIP<GB7CIP
Sent: 190107/1846Z @:GB7CIP.#32.GBR.EURO $:33151G4APL
T:From: Paul Lewis <g4apl@gb7cip.ampr.org>
T:Newsgroups: ampr.packet.general
T:Message-Id: <q106li$dnd$1@gb7cip.ampr.org>
n1uro%n1uro.#cct.ct.usa.noam@gb7cip.ampr.org wrote:
> From: N1URO@N1URO.#CCT.CT.USA.NOAM
> To : PACKET@WW
>
> Paul (et al)
> One thing that's very misunderstood about URONode is that people seem to think
> it handles kernel routines such as node broadcasts and receptions into the
> netrom nodes tables. It does not! It's a user front-end that relies on the
> kernel's tables for connectivity and nodes listings which is why it's such
> a fast node rather than trying to run another protocol stack on top of an
> existing one. In any event I have derived the following iptables rules
> that will help filter out incoming nodes broadcasts that are not wanted.
> Keep in mind you also must allow those who you wish to link with in:
>
> # BPQ udp 10093 and node injection filter rules:
> /sbin/iptables -I INPUT -s 0.0.0.0/0 -j DROP -p udp --dport 10093 -d 0.0.0.0/0
> # axudp
> /sbin/iptables -I INPUT -s 0.0.0.0/0 -j DROP -p udp --dport 93 -d 0.0.0.0/0
> # axip
> /sbin/iptables -I INPUT -s 0.0.0.0/0 -j DROP -p 93 -d 0.0.0.0/0
>
> # now add those you intend to allow:
> /sbin/iptables -I INPUT 1 -s 173.218.33.215 -j ACCEPT -p udp --dport 10093 -d 0.0.0.0/0
> /sbin/iptables -I INPUT 1 -s 74.69.112.177 -j ACCEPT -p udp --dport 93 -d 0.0.0.0/0
> /sbin/iptables -I INPUT 1 -s 44.88.0.9 -j ACCEPT -p 93 -d 44.88.0.1
> /sbin/iptables -I INPUT 1 -s 44.131.244.1 -j ACCEPT -p 93 -d 44.88.0.1
>
> Remember to do your denials first before the accept/allows.
> I hope this information helps.
>
> 73 de N1URO
Hello Brian
Thank you Brian for the above comment.
Yes Brian, I quite often Bang my VERY BIG DRUM !!!!
That your URONODE software that you share with us
is a
USER FRIENDLY FRONT-END
(it is NOT a SYSTEM or a SYSTEM BUILD)
that sits on top of the
Linux Kernel, Libs, software binaries, ax25, libs, tools,
app, netrom and other related code as configured by the Sysop.
As you know, I run a very complex firewall(s) rule set here
across all my Interfaces.
What I am 'saying' we need to stop these unwanted data
broadcast coming INBOUND ON OUR ISP Paid for BANDWIDTH..
Not an issue for agreed two way link agreed with the SysOP
at either end of a single 'UDP tunnel'
(not an issue here as it is unlimted - though we do and
a throughput limit)
Yes I am blocking the worse offenders that are hitting
the firewall and logging them (as I am interested
the 'Abuse of our Network' as part of my Network Management
Monitors).
Blocking at the local firewall Does not STOP the ISP bandwidth
being used up. It is still being 'Clocked' on the ISP download
to the Home User.
As in the example made by Paul ZL4AX recently.
Or even on my remote 2G 3G Data node at 2GBytes for
cost of 10 GBP Data usage which I use.
Just looking at the log file on the one sending 10 node broadcast
blocks per minute was generating many megabyte log files alone.
The main point I am trying is to do.
Is to encourage others to learn and do the same for 2019.
Others will find your IPTABLE rule set a good example of how to
to apply or modify the behaver of the inbound 'Network Abuse'.
Amateur Radio Networking, learn and experiment.
PS
Have you ask the question of your System you use?
'How Many "BANDITS" are probing and getting in your System'
down your Interfaces.
Do you know what is being sent out?
73 de Paul
Read previous mail | Read next mail
| |