[arm-allstar] Finicky Little Computer

Rory Bowers k6cks01 at gmail.com
Wed May 16 07:54:34 EST 2018 

Thank You Doug,
This is very useful!  Armed with this knowledge we will be making a
decision today about keeping or ditching ufw.  I wish I had known this
before I decided to install ufw.  It would have saved a lot of time.  Can
pacman uninstall a package as easily as it installs one??

Rory, K5CKS

On Tue, May 15, 2018 at 9:49 PM, "Doug Crompton via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> Rory,
>
>  Like I said we do not support ufw but it is a package you can download.
> The built-in firewall which is turned on in /usr/local/etc/allstar.env has
> a configuration file -  /etc/openvpn/firewall  - this file contains the
> rules and is commented and easy to understand. It already has rules for all
> the common things you would run with allstar and if you need to change
> ports it is easy to see how to do that.
>
> I just don't want people to think they need to use a firewall when they
> really don't which is probably most of the hamvoip users. If you are
> connected directly to the Internet and see all incoming traffic not
> filtered bt a router then yes you should use a firewall but the built-in
> firewall and its rules would be fine for doing this. Here is a snippet of
> that file. Note that http and sip are commented out and if you were running
> them you would need to remove the # from the beginning of the line.  From
> theses examples it is very easy to see how to modify them or add other
> rules. If you are going to change things in this file I would make a backup
> file or the original first.
>
> ### Allow all Internet traffic for IAX2. Allow all ports from 4560 to 4590.
> $IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT
>
> ### Allow all Internet traffic for Echolink
> $IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT
>
> ### Allow all Internet traffic for SIP
> #$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
>
> ### Allow all Internet traffic for HTTP
> #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>
> ### Allow all Internet traffic for OpenVPN
> $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
> $IPTABLES -A INPUT -i tun0 -j ACCEPT
>
>
>
> *73 Doug*
>
> *WA3DSP*
>
> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>
>
>
> On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > Hi Doug,
> > You wrote...
> > I am wondering why you are using a firewall to begin with.
> > This surprised me.  The answer is simple; to keep the Pi from being
> hacked.
> > Is your Pi directly on the Internet?
> > Yes... we have a static ip assignment on a port of a switch behind our
> > isp's router with all ports open.
> > Are you not using a nat'ed router?
> > No we are not.  A nat'd router would be one more piece of equipment to
> buy
> > and one more point of failure.
> > There is no reason to use a firewall on your Pi in that case it just
> makes
> > things more complicated.
> > If this is the case then why did someone in the group go to all the
> trouble
> > to write ufw??  I don't believe
> > that ufw is going to complicate anything.  Only the necessary ports are
> > open; my ssh port, a port for supermon, and port 4569.
> > Does anything else need to be open?
> > Linux is not Windows and has only the necessary ports opened anyway.
> > Where is that configured?
> >
> > Rory, K5CKS
> >
> > On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
> > arm-allstar at hamvoip.org> wrote:
> >
> > > Rory,
> > >
> > >   ufw is not a program we support or even recommend using. I am
> wondering
> > > why you are using a firewall to begin with. Is your Pi directly on the
> > > Internet? Are you not using a nat'ed router?  There is no reason to
> use a
> > > firewall on your Pi in that case it just makes things more complicated.
> > > Linux is not Windows and has only the necessary ports opened anyway.
> > >
> > >
> > > *73 Doug*
> > >
> > > *WA3DSP*
> > >
> > > *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
> > >
> > >
> > > On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
> > > arm-allstar at hamvoip.org> wrote:
> > >
> > > > While I was trying to get supermon to run outside my lan I reset ufw
> to
> > > ufw
> > > > default allow incoming.  I then did ufw disable.  After getting
> > > everything
> > > > running in supermon I did a ufw default deny incoming.  ufw returned
> > > > command not found.  ufw wasn't uninstalled that I know of, what would
> > > cause
> > > > this??
> > > >
> > > > Thanks,
> > > > Rory, K5CKS
> > > > _______________________________________________
> > > >
> > > > arm-allstar mailing list
> > > > arm-allstar at hamvoip.org
> > > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > > >
> > > > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > > >
> > > _______________________________________________
> > >
> > > arm-allstar mailing list
> > > arm-allstar at hamvoip.org
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >
> > > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > >
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list