[OZAPRS] Re: [radio] Firewalls, Pinholes and Blocked IP's

[Alex Colquitt]

Yes, well Hamish, Darryl, Chris,

I'm sure there'll be a lot of holes in the following and probably a lot of
reasons to change my evil ways, but this system works for me.

As I've always felt nobody outside of my network has a right to poke
around my ports, they'll stay blocked.  I leave forwarding access to the
information servers on my DMZ open, as I do for the LaBrea tarpit I run
for those insidious Gnutella and Kazza scanners.  Outbound is open on
selected ports so there's no problem with my users accessing the rest of
the world. If it isn't work related... they shouldn't be there. Right?  

The logs show multiple port access from multiple source ports from the
same machines/subnets, so I'd say there's the results of a lot of Trojan
and worm traffic coming from nodes on 202, 218, 81, etc. It's easier for
me to block the subnet and pinhole 202 users who have a genuine need for
access or if I get a complaint from one of my users who's having trouble
accessing a site.  As soon as I blocked 202 and 81, the inbound traffic
dropped by 35% which, of course, freed up bandwidth for my outbound
users...  

Yes Chris, I used to have huge lists of specific blocked  IP addresses
which I updated to the firewall on a daily basis..  And whois gets a good
beating too. 

Too hard.. took too much time out of the day.  Now, at the very most, I do
a xxx.xxx.0.0/16 block and  let the rest through.  Believe me, it's easier
to open the one-off address than maintaining long lists of blocked IP
addresses.  Also, I'll agree that  ISC is a good resource, but it doesn't
reflect the traffic sources I see here.  

As for APRS, all access is via RF....  The best firewall is air  :-)     

And Darryl... 20.30 is very accessible from my network.. Your blog  read
well.. What aircraft do you have?  (Hmm, off topic, sorry)

Cheers,

Alex -VK1AC

ozaprs-request at marconi.ics.mq.edu.au wrote: 





------------------------------



Message: 3

Date: Wed, 27 Apr 2005 14:32:26 +1000

From: Hamish Moffatt  <mailto:hamish at cloud.net.au> <hamish at cloud.net.au>

Subject: Re: [OZAPRS] Re: 202 Subnet

To: ozaprs at marconi.ics.mq.edu.au

Message-ID:  <mailto:20050427043226.GA28049 at cloud.net.au>
<20050427043226.GA28049 at cloud.net.au>

Content-Type: text/plain; charset=us-ascii



On Wed, Apr 27, 2005 at 02:21:38PM +1000, Alex Colquitt wrote:

  

Yep, 202 covers India too. I've just blocked the whole subnet at my 

firewall.

They generate most of the net traffic in these parts.

    



202 & 203 can be all over Asia including Australia.

If you block all of 202 you will be blocking Australians.



Hamish

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050428/cf419aae/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT06787.txt
Url: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050428/cf419aae/attachment.txt