[arm-allstar] Finicky Little Computer

Jim Darrough jim at ki7ay.com
Wed May 16 08:16:32 EST 2018 

It is unclear to me from discussions with our ISP whether or not we ARE 
behind a firewall. It seems to me from

what he has told us that we are connected to their nat router, but that 
they don't block anything. What I want to do

is make sure we don't just put an unprotected computer directly on the 
internet. Someone will own the computer within

a week to a month.


Anyway, using the internal firewall would be fine with me as long as we 
can completely remove any other firewall software

that could conflict.

Bottom line is it's still a Raspberry Pi, right.

73 Jim Ki7AY


On 05/16/2018 07:54 AM, "Rory Bowers via arm-allstar" wrote:
> Thank You Doug,
> This is very useful!  Armed with this knowledge we will be making a
> decision today about keeping or ditching ufw.  I wish I had known this
> before I decided to install ufw.  It would have saved a lot of time.  Can
> pacman uninstall a package as easily as it installs one??
>
> Rory, K5CKS
>
> On Tue, May 15, 2018 at 9:49 PM, "Doug Crompton via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
>> Rory,
>>
>>   Like I said we do not support ufw but it is a package you can download.
>> The built-in firewall which is turned on in /usr/local/etc/allstar.env has
>> a configuration file -  /etc/openvpn/firewall  - this file contains the
>> rules and is commented and easy to understand. It already has rules for all
>> the common things you would run with allstar and if you need to change
>> ports it is easy to see how to do that.
>>
>> I just don't want people to think they need to use a firewall when they
>> really don't which is probably most of the hamvoip users. If you are
>> connected directly to the Internet and see all incoming traffic not
>> filtered bt a router then yes you should use a firewall but the built-in
>> firewall and its rules would be fine for doing this. Here is a snippet of
>> that file. Note that http and sip are commented out and if you were running
>> them you would need to remove the # from the beginning of the line.  From
>> theses examples it is very easy to see how to modify them or add other
>> rules. If you are going to change things in this file I would make a backup
>> file or the original first.
>>
>> ### Allow all Internet traffic for IAX2. Allow all ports from 4560 to 4590.
>> $IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT
>>
>> ### Allow all Internet traffic for Echolink
>> $IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT
>>
>> ### Allow all Internet traffic for SIP
>> #$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
>>
>> ### Allow all Internet traffic for HTTP
>> #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>>
>> ### Allow all Internet traffic for OpenVPN
>> $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
>> $IPTABLES -A INPUT -i tun0 -j ACCEPT
>>
>>
>>
>> *73 Doug*
>>
>> *WA3DSP*
>>
>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>
>>
>>
>> On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
>> arm-allstar at hamvoip.org> wrote:
>>
>>> Hi Doug,
>>> You wrote...
>>> I am wondering why you are using a firewall to begin with.
>>> This surprised me.  The answer is simple; to keep the Pi from being
>> hacked.
>>> Is your Pi directly on the Internet?
>>> Yes... we have a static ip assignment on a port of a switch behind our
>>> isp's router with all ports open.
>>> Are you not using a nat'ed router?
>>> No we are not.  A nat'd router would be one more piece of equipment to
>> buy
>>> and one more point of failure.
>>> There is no reason to use a firewall on your Pi in that case it just
>> makes
>>> things more complicated.
>>> If this is the case then why did someone in the group go to all the
>> trouble
>>> to write ufw??  I don't believe
>>> that ufw is going to complicate anything.  Only the necessary ports are
>>> open; my ssh port, a port for supermon, and port 4569.
>>> Does anything else need to be open?
>>> Linux is not Windows and has only the necessary ports opened anyway.
>>> Where is that configured?
>>>
>>> Rory, K5CKS
>>>
>>> On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
>>> arm-allstar at hamvoip.org> wrote:
>>>
>>>> Rory,
>>>>
>>>>    ufw is not a program we support or even recommend using. I am
>> wondering
>>>> why you are using a firewall to begin with. Is your Pi directly on the
>>>> Internet? Are you not using a nat'ed router?  There is no reason to
>> use a
>>>> firewall on your Pi in that case it just makes things more complicated.
>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>
>>>>
>>>> *73 Doug*
>>>>
>>>> *WA3DSP*
>>>>
>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>
>>>>
>>>> On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>>> While I was trying to get supermon to run outside my lan I reset ufw
>> to
>>>> ufw
>>>>> default allow incoming.  I then did ufw disable.  After getting
>>>> everything
>>>>> running in supermon I did a ufw default deny incoming.  ufw returned
>>>>> command not found.  ufw wasn't uninstalled that I know of, what would
>>>> cause
>>>>> this??
>>>>>
>>>>> Thanks,
>>>>> Rory, K5CKS
>>>>> _______________________________________________
>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>> _______________________________________________
>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

-- 
73 Jim
La ciruela de Panamá

More information about the arm-allstar mailing list