<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><font style="" color="#000000" face="Tahoma,sans-serif">Doing this in general in Allstar is frowned on but I certainly understand doing it in some cases. If there was a general capability to do this and everyone decided who could connect to them there would not be much of a network would there? The other issue in all of this is you really can't stop it. For instance all the opposing party has to do is connect through someone else that is connected to you. The best thing to do is tell them you don't want their connection!<br><br>That being said I did make a perl script that is called in the rc.updatenodelist file that extracts nodes you don't want before saving the file. It works but I rarely if ever use it. Think twice about blocking people. I can see Echolink where it is the wild west but Allstar is a different community.<br id="FontBreak"></font><br><b><font style="font-size:16pt;" size="4">73 Doug</font><font style="font-size:16pt;" size="4"><br></font><font style="font-size:16pt;" size="4">WA3DSP</font><font style="font-size:16pt;" size="4"><br></font><font style="font-size:16pt;" size="4">http://www.crompton.com/hamradio</font></b><font style="font-size:16pt;" size="4"><br></font><br><br><div>> Date: Wed, 2 Mar 2016 15:08:06 -0800<br>> To: arm-allstar@hamvoip.org<br>> Subject: Re: [arm-allstar] Restrict Inbound Connections by Node Number?<br>> From: arm-allstar@hamvoip.org<br>> CC: x-rad@frontier.com<br>> <br>> David McGough via arm-allstar wrote:<br>> ><br>> ><br>> > Joel brings up a good point that, if you don't need full public access to<br>> > your node, restrict access via firewall rules! The firewall rule update<br>> > code could be run from the rc.updatenodelist script as well, making<br>> > firewall changes as node IP addresses change.<br>> <br>> Hi David,<br>> <br>> That is what our asnode.org domain does and makes easy... it takes that same list from Allstar (every 5 minutes) and turns it into a DNS zone. We also do the reverse.. If you look for a TXT record by IP it will show you all the nodes running on that IP..<br>> <br>> So forward...<br>> dig a nodeid.asnode.org<br>> <br>> Reverse...<br>> dig txt x.x.x.x.asnode.org<br>> <br>> <br>> <br>> This allows you to ssh to a fixed hostname to connect to your box even if the IP changes.<br>> <br>> <br>> Finally on the firewall discussion, I have at the very least blocked by region. i.e. only allow A-blocks assigned by ARIN. That takes out all the Chinese crackers looking for open IAX ports in hopes of finding Asterisk switches which will give them telco access to abuse for fraud. Just today our abuse desk here got another Nigerian scam where they are using US based VoIP to appear to be a US University and "purchase items" on Net-30 terms.<br>> <br>> The one downside to that is ONCE I ran into a situation where a consumer ISP in the US was using RIPE IP ranges. This is because the world-wide pool of IPv4 addresses are being exhausted, some Europe (RIPE) and other ranges are being sold/leased to US organizations and are now being announced by ARIN assigned ASN's and routed via BGP to the US. So far, I've seen this just once where an ISP in the eastern part of the US announcing/using a RIPE/European IP range which had an Allstar node on it that could not connect to us because of my blocking non-ARIN IP's. So we just added the entire range in the BGP announcement from that ISP to the ACCEPT list and fixed it. So far I've not run into this more than once.<br>> <br>> 73's<br>> Joel/N7GLV<br>> <br>> <br>> <br>> _______________________________________________<br>> <br>> arm-allstar mailing list<br>> arm-allstar@hamvoip.org<br>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar<br>> <br>> Visit the BBB and RPi2 web page - http://hamvoip.org<br>> <br></div> </div></body>
</html>