[arm-allstar] Finicky Little Computer

Doug Crompton wa3dsp at gmail.com
Tue May 15 21:49:31 EST 2018 

Rory,

 Like I said we do not support ufw but it is a package you can download.
The built-in firewall which is turned on in /usr/local/etc/allstar.env has
a configuration file -  /etc/openvpn/firewall  - this file contains the
rules and is commented and easy to understand. It already has rules for all
the common things you would run with allstar and if you need to change
ports it is easy to see how to do that.

I just don't want people to think they need to use a firewall when they
really don't which is probably most of the hamvoip users. If you are
connected directly to the Internet and see all incoming traffic not
filtered bt a router then yes you should use a firewall but the built-in
firewall and its rules would be fine for doing this. Here is a snippet of
that file. Note that http and sip are commented out and if you were running
them you would need to remove the # from the beginning of the line.  From
theses examples it is very easy to see how to modify them or add other
rules. If you are going to change things in this file I would make a backup
file or the original first.

### Allow all Internet traffic for IAX2. Allow all ports from 4560 to 4590.
$IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT

### Allow all Internet traffic for Echolink
$IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT

### Allow all Internet traffic for SIP
#$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT

### Allow all Internet traffic for HTTP
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

### Allow all Internet traffic for OpenVPN
$IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -i tun0 -j ACCEPT



*73 Doug*

*WA3DSP*

*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*



On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> Hi Doug,
> You wrote...
> I am wondering why you are using a firewall to begin with.
> This surprised me.  The answer is simple; to keep the Pi from being hacked.
> Is your Pi directly on the Internet?
> Yes... we have a static ip assignment on a port of a switch behind our
> isp's router with all ports open.
> Are you not using a nat'ed router?
> No we are not.  A nat'd router would be one more piece of equipment to buy
> and one more point of failure.
> There is no reason to use a firewall on your Pi in that case it just makes
> things more complicated.
> If this is the case then why did someone in the group go to all the trouble
> to write ufw??  I don't believe
> that ufw is going to complicate anything.  Only the necessary ports are
> open; my ssh port, a port for supermon, and port 4569.
> Does anything else need to be open?
> Linux is not Windows and has only the necessary ports opened anyway.
> Where is that configured?
>
> Rory, K5CKS
>
> On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > Rory,
> >
> >   ufw is not a program we support or even recommend using. I am wondering
> > why you are using a firewall to begin with. Is your Pi directly on the
> > Internet? Are you not using a nat'ed router?  There is no reason to use a
> > firewall on your Pi in that case it just makes things more complicated.
> > Linux is not Windows and has only the necessary ports opened anyway.
> >
> >
> > *73 Doug*
> >
> > *WA3DSP*
> >
> > *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
> >
> >
> > On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
> > arm-allstar at hamvoip.org> wrote:
> >
> > > While I was trying to get supermon to run outside my lan I reset ufw to
> > ufw
> > > default allow incoming.  I then did ufw disable.  After getting
> > everything
> > > running in supermon I did a ufw default deny incoming.  ufw returned
> > > command not found.  ufw wasn't uninstalled that I know of, what would
> > cause
> > > this??
> > >
> > > Thanks,
> > > Rory, K5CKS
> > > _______________________________________________
> > >
> > > arm-allstar mailing list
> > > arm-allstar at hamvoip.org
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >
> > > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > >
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list