[arm-allstar] Restrict Inbound Connections by Node Number?

[Joel]

David McGough via arm-allstar wrote:
>
>
> Joel brings up a good point that, if you don't need full public access to
> your node, restrict access via firewall rules!  The firewall rule update
> code could be run from the rc.updatenodelist script as well, making
> firewall changes as node IP addresses change.

Hi David,

That is what our asnode.org domain does and makes easy... it takes that same list from Allstar (every 5 minutes) and turns it into a DNS zone. We also do the reverse.. If you look for a TXT record by IP it will show you all the nodes running on that IP..

So forward...
dig a nodeid.asnode.org

Reverse...
dig txt x.x.x.x.asnode.org



This allows you to ssh to a fixed hostname to connect to your box even if the IP changes.


Finally on the firewall discussion, I have at the very least blocked by region. i.e. only allow A-blocks assigned by ARIN. That takes out all the Chinese crackers looking for open IAX ports in hopes of finding Asterisk switches which will give them telco access to abuse for fraud. Just today our abuse desk here got another Nigerian scam where they are using US based VoIP to appear to be a US University and "purchase items" on Net-30 terms.

The one downside to that is ONCE I ran into a situation where a consumer ISP in the US was using RIPE IP ranges. This is because the world-wide pool of IPv4 addresses are being exhausted, some Europe (RIPE) and other ranges are being sold/leased to US organizations and are now being announced by ARIN assigned ASN's and routed via BGP to the US. So far, I've seen this just once where an ISP in the eastern part of the US announcing/using a RIPE/European IP range which had an Allstar node on it that could not connect to us because of my blocking non-ARIN IP's. So we just added the entire range in the BGP announcement from that ISP to the ACCEPT list and fixed it. So far I've not run into this more than once.

73's
Joel/N7GLV