[arm-allstar] Finicky Little Computer
Jim Darrough
jim at ki7ay.com
Wed May 16 08:34:50 EST 2018
Our I/P address is NOT a non-routable. Unfortunately. But thanks for the
input.
73 Jim KI7AY
On 05/16/2018 08:21 AM, "Jay Urish via arm-allstar" wrote:
> This is easy... If your ip is RFC1918, i.e
> 10.x.x.x/172.16.x.x/192.168.x.x, then you are behind a firewall.
>
>
>
>
> On 05/16/2018 08:16 AM, "Jim Darrough via arm-allstar" wrote:
>> It is unclear to me from discussions with our ISP whether or not we
>> ARE behind a firewall. It seems to me from
>>
>> what he has told us that we are connected to their nat router, but
>> that they don't block anything. What I want to do
>>
>> is make sure we don't just put an unprotected computer directly on
>> the internet. Someone will own the computer within
>>
>> a week to a month.
>>
>>
>> Anyway, using the internal firewall would be fine with me as long as
>> we can completely remove any other firewall software
>>
>> that could conflict.
>>
>> Bottom line is it's still a Raspberry Pi, right.
>>
>> 73 Jim Ki7AY
>>
>>
>> On 05/16/2018 07:54 AM, "Rory Bowers via arm-allstar" wrote:
>>> Thank You Doug,
>>> This is very useful! Armed with this knowledge we will be making a
>>> decision today about keeping or ditching ufw. I wish I had known this
>>> before I decided to install ufw. It would have saved a lot of
>>> time. Can
>>> pacman uninstall a package as easily as it installs one??
>>>
>>> Rory, K5CKS
>>>
>>> On Tue, May 15, 2018 at 9:49 PM, "Doug Crompton via arm-allstar" <
>>> arm-allstar at hamvoip.org> wrote:
>>>
>>>> Rory,
>>>>
>>>> Like I said we do not support ufw but it is a package you can
>>>> download.
>>>> The built-in firewall which is turned on in
>>>> /usr/local/etc/allstar.env has
>>>> a configuration file - /etc/openvpn/firewall - this file contains
>>>> the
>>>> rules and is commented and easy to understand. It already has rules
>>>> for all
>>>> the common things you would run with allstar and if you need to change
>>>> ports it is easy to see how to do that.
>>>>
>>>> I just don't want people to think they need to use a firewall when
>>>> they
>>>> really don't which is probably most of the hamvoip users. If you are
>>>> connected directly to the Internet and see all incoming traffic not
>>>> filtered bt a router then yes you should use a firewall but the
>>>> built-in
>>>> firewall and its rules would be fine for doing this. Here is a
>>>> snippet of
>>>> that file. Note that http and sip are commented out and if you were
>>>> running
>>>> them you would need to remove the # from the beginning of the
>>>> line. From
>>>> theses examples it is very easy to see how to modify them or add other
>>>> rules. If you are going to change things in this file I would make
>>>> a backup
>>>> file or the original first.
>>>>
>>>> ### Allow all Internet traffic for IAX2. Allow all ports from 4560
>>>> to 4590.
>>>> $IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT
>>>>
>>>> ### Allow all Internet traffic for Echolink
>>>> $IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT
>>>>
>>>> ### Allow all Internet traffic for SIP
>>>> #$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
>>>>
>>>> ### Allow all Internet traffic for HTTP
>>>> #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>>>>
>>>> ### Allow all Internet traffic for OpenVPN
>>>> $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
>>>> $IPTABLES -A INPUT -i tun0 -j ACCEPT
>>>>
>>>>
>>>>
>>>> *73 Doug*
>>>>
>>>> *WA3DSP*
>>>>
>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>
>>>>
>>>>
>>>> On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>>> Hi Doug,
>>>>> You wrote...
>>>>> I am wondering why you are using a firewall to begin with.
>>>>> This surprised me. The answer is simple; to keep the Pi from being
>>>> hacked.
>>>>> Is your Pi directly on the Internet?
>>>>> Yes... we have a static ip assignment on a port of a switch behind
>>>>> our
>>>>> isp's router with all ports open.
>>>>> Are you not using a nat'ed router?
>>>>> No we are not. A nat'd router would be one more piece of
>>>>> equipment to
>>>> buy
>>>>> and one more point of failure.
>>>>> There is no reason to use a firewall on your Pi in that case it just
>>>> makes
>>>>> things more complicated.
>>>>> If this is the case then why did someone in the group go to all the
>>>> trouble
>>>>> to write ufw?? I don't believe
>>>>> that ufw is going to complicate anything. Only the necessary
>>>>> ports are
>>>>> open; my ssh port, a port for supermon, and port 4569.
>>>>> Does anything else need to be open?
>>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>> Where is that configured?
>>>>>
>>>>> Rory, K5CKS
>>>>>
>>>>> On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>
>>>>>> Rory,
>>>>>>
>>>>>> ufw is not a program we support or even recommend using. I am
>>>> wondering
>>>>>> why you are using a firewall to begin with. Is your Pi directly
>>>>>> on the
>>>>>> Internet? Are you not using a nat'ed router? There is no reason to
>>>> use a
>>>>>> firewall on your Pi in that case it just makes things more
>>>>>> complicated.
>>>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>>>
>>>>>>
>>>>>> *73 Doug*
>>>>>>
>>>>>> *WA3DSP*
>>>>>>
>>>>>> *http://www.crompton.com/hamradio
>>>>>> <http://www.crompton.com/hamradio>*
>>>>>>
>>>>>>
>>>>>> On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
>>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>>> While I was trying to get supermon to run outside my lan I reset
>>>>>>> ufw
>>>> to
>>>>>> ufw
>>>>>>> default allow incoming. I then did ufw disable. After getting
>>>>>> everything
>>>>>>> running in supermon I did a ufw default deny incoming. ufw
>>>>>>> returned
>>>>>>> command not found. ufw wasn't uninstalled that I know of, what
>>>>>>> would
>>>>>> cause
>>>>>>> this??
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rory, K5CKS
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> arm-allstar mailing list
>>>>>>> arm-allstar at hamvoip.org
>>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>>
>>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>>
>>>>>> _______________________________________________
>>>>>>
>>>>>> arm-allstar mailing list
>>>>>> arm-allstar at hamvoip.org
>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>
>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>> _______________________________________________
>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>> _______________________________________________
>>>
>>> arm-allstar mailing list
>>> arm-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>
>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>
>>
>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
--
73 Jim
La ciruela de Panamá
More information about the arm-allstar
mailing list