[arm-allstar] Finicky Little Computer

Jay Urish jay at unixwolf.net
Wed May 16 08:21:42 EST 2018 

This is easy... If your ip is RFC1918, i.e 
10.x.x.x/172.16.x.x/192.168.x.x, then you are behind a firewall.




On 05/16/2018 08:16 AM, "Jim Darrough via arm-allstar" wrote:
> It is unclear to me from discussions with our ISP whether or not we 
> ARE behind a firewall. It seems to me from
>
> what he has told us that we are connected to their nat router, but 
> that they don't block anything. What I want to do
>
> is make sure we don't just put an unprotected computer directly on the 
> internet. Someone will own the computer within
>
> a week to a month.
>
>
> Anyway, using the internal firewall would be fine with me as long as 
> we can completely remove any other firewall software
>
> that could conflict.
>
> Bottom line is it's still a Raspberry Pi, right.
>
> 73 Jim Ki7AY
>
>
> On 05/16/2018 07:54 AM, "Rory Bowers via arm-allstar" wrote:
>> Thank You Doug,
>> This is very useful!  Armed with this knowledge we will be making a
>> decision today about keeping or ditching ufw.  I wish I had known this
>> before I decided to install ufw.  It would have saved a lot of time.  
>> Can
>> pacman uninstall a package as easily as it installs one??
>>
>> Rory, K5CKS
>>
>> On Tue, May 15, 2018 at 9:49 PM, "Doug Crompton via arm-allstar" <
>> arm-allstar at hamvoip.org> wrote:
>>
>>> Rory,
>>>
>>>   Like I said we do not support ufw but it is a package you can 
>>> download.
>>> The built-in firewall which is turned on in 
>>> /usr/local/etc/allstar.env has
>>> a configuration file -  /etc/openvpn/firewall  - this file contains the
>>> rules and is commented and easy to understand. It already has rules 
>>> for all
>>> the common things you would run with allstar and if you need to change
>>> ports it is easy to see how to do that.
>>>
>>> I just don't want people to think they need to use a firewall when they
>>> really don't which is probably most of the hamvoip users. If you are
>>> connected directly to the Internet and see all incoming traffic not
>>> filtered bt a router then yes you should use a firewall but the 
>>> built-in
>>> firewall and its rules would be fine for doing this. Here is a 
>>> snippet of
>>> that file. Note that http and sip are commented out and if you were 
>>> running
>>> them you would need to remove the # from the beginning of the line.  
>>> From
>>> theses examples it is very easy to see how to modify them or add other
>>> rules. If you are going to change things in this file I would make a 
>>> backup
>>> file or the original first.
>>>
>>> ### Allow all Internet traffic for IAX2. Allow all ports from 4560 
>>> to 4590.
>>> $IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT
>>>
>>> ### Allow all Internet traffic for Echolink
>>> $IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT
>>>
>>> ### Allow all Internet traffic for SIP
>>> #$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
>>>
>>> ### Allow all Internet traffic for HTTP
>>> #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>>>
>>> ### Allow all Internet traffic for OpenVPN
>>> $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
>>> $IPTABLES -A INPUT -i tun0 -j ACCEPT
>>>
>>>
>>>
>>> *73 Doug*
>>>
>>> *WA3DSP*
>>>
>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>
>>>
>>>
>>> On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
>>> arm-allstar at hamvoip.org> wrote:
>>>
>>>> Hi Doug,
>>>> You wrote...
>>>> I am wondering why you are using a firewall to begin with.
>>>> This surprised me.  The answer is simple; to keep the Pi from being
>>> hacked.
>>>> Is your Pi directly on the Internet?
>>>> Yes... we have a static ip assignment on a port of a switch behind our
>>>> isp's router with all ports open.
>>>> Are you not using a nat'ed router?
>>>> No we are not.  A nat'd router would be one more piece of equipment to
>>> buy
>>>> and one more point of failure.
>>>> There is no reason to use a firewall on your Pi in that case it just
>>> makes
>>>> things more complicated.
>>>> If this is the case then why did someone in the group go to all the
>>> trouble
>>>> to write ufw??  I don't believe
>>>> that ufw is going to complicate anything.  Only the necessary ports 
>>>> are
>>>> open; my ssh port, a port for supermon, and port 4569.
>>>> Does anything else need to be open?
>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>> Where is that configured?
>>>>
>>>> Rory, K5CKS
>>>>
>>>> On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>>> Rory,
>>>>>
>>>>>    ufw is not a program we support or even recommend using. I am
>>> wondering
>>>>> why you are using a firewall to begin with. Is your Pi directly on 
>>>>> the
>>>>> Internet? Are you not using a nat'ed router?  There is no reason to
>>> use a
>>>>> firewall on your Pi in that case it just makes things more 
>>>>> complicated.
>>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>>
>>>>>
>>>>> *73 Doug*
>>>>>
>>>>> *WA3DSP*
>>>>>
>>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>>
>>>>>
>>>>> On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>
>>>>>> While I was trying to get supermon to run outside my lan I reset ufw
>>> to
>>>>> ufw
>>>>>> default allow incoming.  I then did ufw disable.  After getting
>>>>> everything
>>>>>> running in supermon I did a ufw default deny incoming.  ufw returned
>>>>>> command not found.  ufw wasn't uninstalled that I know of, what 
>>>>>> would
>>>>> cause
>>>>>> this??
>>>>>>
>>>>>> Thanks,
>>>>>> Rory, K5CKS
>>>>>> _______________________________________________
>>>>>>
>>>>>> arm-allstar mailing list
>>>>>> arm-allstar at hamvoip.org
>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>
>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>> _______________________________________________
>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>
>

More information about the arm-allstar mailing list