[OZAPRS] Re: [radio] Firewalls, Pinholes and Blocked IP's

Sergey Burjak vk4bsb at systech.com.au
Thu Apr 28 18:10:54 EST 2005 

Gentlemen, 
 
I have to disagree with this approach. 
 
A lot of people have dynamic IPs and such you can't predict what range
they are in. I have Bigpond cable which has made radical jumps from 203.xx
to 144.xx and back again in one night.
 
A better way to identify people who want to abuse you is to have a
reactive firewall which will block a port and IP address after a fixed
number of unsuccesful attempts, typically 2. This of course would need to
be cleared every now and then as the data would become stale after a
while. If you wanted to block OS probes you could leave the addresses
there, but most OZ ISPs have reusable, dynamic IPs. If you don't, you'll
find yourself in an ever decreasing number of friends.
 
You don't free up any bandwidth to users by blocking IPs, they will still
scan and probe and use your bandwidth. If someone wanted to launch a
Denial of Service attack on you, they just hammer your machine, blocked or
not, it will saturate your link very easily. What's worse is, if you're on
a metered connection, you pay for the traffice regardless.
 
 
My 2 cents worth.
 
Serge
VK4SB
 
--------------------------------------------------------------------------
-
 
Yes, well Hamish, Darryl, Chris,

I'm sure there'll be a lot of holes in the following and probably a lot of
reasons to change my evil ways, but this system works for me.

As I've always felt nobody outside of my network has a right to poke
around my ports, they'll stay blocked.  I leave forwarding access to the
information servers on my DMZ open, as I do for the LaBrea tarpit I run
for those insidious Gnutella and Kazza scanners.  Outbound is open on
selected ports so there's no problem with my users accessing the rest of
the world. If it isn't work related... they shouldn't be there. Right?  

The logs show multiple port access from multiple source ports from the
same machines/subnets, so I'd say there's the results of a lot of Trojan
and worm traffic coming from nodes on 202, 218, 81, etc. It's easier for
me to block the subnet and pinhole 202 users who have a genuine need for
access or if I get a complaint from one of my users who's having trouble
accessing a site.  As soon as I blocked 202 and 81, the inbound traffic
dropped by 35% which, of course, freed up bandwidth for my outbound
users...  

Yes Chris, I used to have huge lists of specific blocked  IP addresses
which I updated to the firewall on a daily basis..  And whois gets a good
beating too. 

Too hard.. took too much time out of the day.  Now, at the very most, I do
a xxx.xxx.0.0/16 block and  let the rest through.  Believe me, it's easier
to open the one-off address than maintaining long lists of blocked IP
addresses.  Also, I'll agree that  ISC is a good resource, but it doesn't
reflect the traffic sources I see here.  

As for APRS, all access is via RF....  The best firewall is air  :-)     

And Darryl... 20.30 is very accessible from my network.. Your blog  read
well.. What aircraft do you have?  (Hmm, off topic, sorry)

Cheers,

Alex -VK1AC

ozaprs-request at marconi.ics.mq.edu.au wrote: 





------------------------------



Message: 3

Date: Wed, 27 Apr 2005 14:32:26 +1000

From: Hamish Moffatt  <mailto:hamish at cloud.net.au> <hamish at cloud.net.au>

Subject: Re: [OZAPRS] Re: 202 Subnet

To: ozaprs at marconi.ics.mq.edu.au

Message-ID:  <mailto:20050427043226.GA28049 at cloud.net.au>
<20050427043226.GA28049 at cloud.net.au>

Content-Type: text/plain; charset=us-ascii



On Wed, Apr 27, 2005 at 02:21:38PM +1000, Alex Colquitt wrote:

  

Yep, 202 covers India too. I've just blocked the whole subnet at my 

firewall.

They generate most of the net traffic in these parts.

    



202 & 203 can be all over Asia including Australia.

If you block all of 202 you will be blocking Australians.



Hamish

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050428/24b722f1/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT06784.txt
Url: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050428/24b722f1/attachment.txt

More information about the Ozaprs mailing list