[arm-allstar] Finicky Little Computer
KD2NFC, Joe Puma
kd2nfc at gmail.com
Wed May 16 14:10:40 EST 2018
Just a note that there are services on the internet where you can check for open ports on your public IP. Here is one where you can specify a wide range of ports to see what it returns. I just did it from 1-10000. http://www.ipfingerprints.com/portscan.php
Joe
KD2NFC
Sent from my iPad
> On May 16, 2018, at 9:34 AM, Jim Darrough via arm-allstar <arm-allstar at hamvoip.org> wrote:
>
> Our I/P address is NOT a non-routable. Unfortunately. But thanks for the input.
>
> 73 Jim KI7AY
>
>
>> On 05/16/2018 08:21 AM, "Jay Urish via arm-allstar" wrote:
>> This is easy... If your ip is RFC1918, i.e 10.x.x.x/172.16.x.x/192.168.x.x, then you are behind a firewall.
>>
>>
>>
>>
>>> On 05/16/2018 08:16 AM, "Jim Darrough via arm-allstar" wrote:
>>> It is unclear to me from discussions with our ISP whether or not we ARE behind a firewall. It seems to me from
>>>
>>> what he has told us that we are connected to their nat router, but that they don't block anything. What I want to do
>>>
>>> is make sure we don't just put an unprotected computer directly on the internet. Someone will own the computer within
>>>
>>> a week to a month.
>>>
>>>
>>> Anyway, using the internal firewall would be fine with me as long as we can completely remove any other firewall software
>>>
>>> that could conflict.
>>>
>>> Bottom line is it's still a Raspberry Pi, right.
>>>
>>> 73 Jim Ki7AY
>>>
>>>
>>>> On 05/16/2018 07:54 AM, "Rory Bowers via arm-allstar" wrote:
>>>> Thank You Doug,
>>>> This is very useful! Armed with this knowledge we will be making a
>>>> decision today about keeping or ditching ufw. I wish I had known this
>>>> before I decided to install ufw. It would have saved a lot of time. Can
>>>> pacman uninstall a package as easily as it installs one??
>>>>
>>>> Rory, K5CKS
>>>>
>>>> On Tue, May 15, 2018 at 9:49 PM, "Doug Crompton via arm-allstar" <
>>>> arm-allstar at hamvoip.org> wrote:
>>>>
>>>>> Rory,
>>>>>
>>>>> Like I said we do not support ufw but it is a package you can download.
>>>>> The built-in firewall which is turned on in /usr/local/etc/allstar.env has
>>>>> a configuration file - /etc/openvpn/firewall - this file contains the
>>>>> rules and is commented and easy to understand. It already has rules for all
>>>>> the common things you would run with allstar and if you need to change
>>>>> ports it is easy to see how to do that.
>>>>>
>>>>> I just don't want people to think they need to use a firewall when they
>>>>> really don't which is probably most of the hamvoip users. If you are
>>>>> connected directly to the Internet and see all incoming traffic not
>>>>> filtered bt a router then yes you should use a firewall but the built-in
>>>>> firewall and its rules would be fine for doing this. Here is a snippet of
>>>>> that file. Note that http and sip are commented out and if you were running
>>>>> them you would need to remove the # from the beginning of the line. From
>>>>> theses examples it is very easy to see how to modify them or add other
>>>>> rules. If you are going to change things in this file I would make a backup
>>>>> file or the original first.
>>>>>
>>>>> ### Allow all Internet traffic for IAX2. Allow all ports from 4560 to 4590.
>>>>> $IPTABLES -A INPUT -p udp --dport 4560:4590 -j ACCEPT
>>>>>
>>>>> ### Allow all Internet traffic for Echolink
>>>>> $IPTABLES -A INPUT -p udp -m multiport --dport 5198,5199 -j ACCEPT
>>>>>
>>>>> ### Allow all Internet traffic for SIP
>>>>> #$IPTABLES -A INPUT -p udp --dport 5060 -j ACCEPT
>>>>>
>>>>> ### Allow all Internet traffic for HTTP
>>>>> #$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
>>>>>
>>>>> ### Allow all Internet traffic for OpenVPN
>>>>> $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
>>>>> $IPTABLES -A INPUT -i tun0 -j ACCEPT
>>>>>
>>>>>
>>>>>
>>>>> *73 Doug*
>>>>>
>>>>> *WA3DSP*
>>>>>
>>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 15, 2018 at 9:53 PM, "Rory Bowers via arm-allstar" <
>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>
>>>>>> Hi Doug,
>>>>>> You wrote...
>>>>>> I am wondering why you are using a firewall to begin with.
>>>>>> This surprised me. The answer is simple; to keep the Pi from being
>>>>> hacked.
>>>>>> Is your Pi directly on the Internet?
>>>>>> Yes... we have a static ip assignment on a port of a switch behind our
>>>>>> isp's router with all ports open.
>>>>>> Are you not using a nat'ed router?
>>>>>> No we are not. A nat'd router would be one more piece of equipment to
>>>>> buy
>>>>>> and one more point of failure.
>>>>>> There is no reason to use a firewall on your Pi in that case it just
>>>>> makes
>>>>>> things more complicated.
>>>>>> If this is the case then why did someone in the group go to all the
>>>>> trouble
>>>>>> to write ufw?? I don't believe
>>>>>> that ufw is going to complicate anything. Only the necessary ports are
>>>>>> open; my ssh port, a port for supermon, and port 4569.
>>>>>> Does anything else need to be open?
>>>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>>> Where is that configured?
>>>>>>
>>>>>> Rory, K5CKS
>>>>>>
>>>>>> On Tue, May 15, 2018 at 7:03 PM, "Doug Crompton via arm-allstar" <
>>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>>
>>>>>>> Rory,
>>>>>>>
>>>>>>> ufw is not a program we support or even recommend using. I am
>>>>> wondering
>>>>>>> why you are using a firewall to begin with. Is your Pi directly on the
>>>>>>> Internet? Are you not using a nat'ed router? There is no reason to
>>>>> use a
>>>>>>> firewall on your Pi in that case it just makes things more complicated.
>>>>>>> Linux is not Windows and has only the necessary ports opened anyway.
>>>>>>>
>>>>>>>
>>>>>>> *73 Doug*
>>>>>>>
>>>>>>> *WA3DSP*
>>>>>>>
>>>>>>> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>>>>>>>
>>>>>>>
>>>>>>> On Tue, May 15, 2018 at 6:31 PM, "Rory Bowers via arm-allstar" <
>>>>>>> arm-allstar at hamvoip.org> wrote:
>>>>>>>
>>>>>>>> While I was trying to get supermon to run outside my lan I reset ufw
>>>>> to
>>>>>>> ufw
>>>>>>>> default allow incoming. I then did ufw disable. After getting
>>>>>>> everything
>>>>>>>> running in supermon I did a ufw default deny incoming. ufw returned
>>>>>>>> command not found. ufw wasn't uninstalled that I know of, what would
>>>>>>> cause
>>>>>>>> this??
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rory, K5CKS
>>>>>>>> _______________________________________________
>>>>>>>>
>>>>>>>> arm-allstar mailing list
>>>>>>>> arm-allstar at hamvoip.org
>>>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>>>
>>>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> arm-allstar mailing list
>>>>>>> arm-allstar at hamvoip.org
>>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>>
>>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>>
>>>>>> _______________________________________________
>>>>>>
>>>>>> arm-allstar mailing list
>>>>>> arm-allstar at hamvoip.org
>>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>>
>>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> arm-allstar mailing list
>>>>> arm-allstar at hamvoip.org
>>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>>
>>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>>
>>>> _______________________________________________
>>>>
>>>> arm-allstar mailing list
>>>> arm-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>>>
>>>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>>>>
>>>
>>
>> _______________________________________________
>>
>> arm-allstar mailing list
>> arm-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>
>> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>
> --
> 73 Jim
> La ciruela de Panamá
>
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
More information about the arm-allstar
mailing list