[OZAPRS] Re: [radio] Firewalls, Pinholes and Blocked IP's

Geoff ggatward at iinet.net.au
Fri Apr 29 16:33:02 EST 2005


I would agree that blocking an entire subnet (especially a class A) is not
the best idea...

We implemented IP filtering on the box hosting the APRS web pages and
first.aprs.net.au after the last breakin to the box.  We are now running
the snort IDS (Intrusion Detection System) with hooks to the Guardian
firewall updating scripts.  Won;t go to too much detail here, as it is
rather off-topic, but it monitors all network activity, and if it sees a
known exploit string, portscan or any other potentially malicious data
coming to our address the source IP is blocked.

We could block the whole 202 range, but then the web pages would be
unreachable to most of VK !

Anyway,  Speaking of IP addresses and the aprs.net.au site,  we will be
CHANGING IP ADDRESS over the weekend.

This change should be relitively transparent, however there may be a
period where the DNS resolutions point to the old (current) address which
will not have anything listening.

Should be all back to normal by the end of the weekend....

Regards

Geoff  VK2XJG



-- 
Open WebMail Project (http://openwebmail.org <http://openwebmail.org/> ) 


---------- Original Message ----------- 
From: "Sergey Burjak" <vk4bsb at systech.com.au> 
To: ozaprs at marconi.ics.mq.edu.au 
Sent: Thu, 28 Apr 2005 18:10:54 +1000 
Subject: [OZAPRS] Re: [radio] Firewalls, Pinholes and Blocked IP's 

> Gentlemen, 
>   
> I have to disagree with this approach. 
>   
> A lot of people have dynamic IPs and such you can't predict what range
they are in. I have Bigpond cable which has made radical jumps from 203.xx
to 144.xx and back again in one night. 
>   
> A better way to identify people who want to abuse you is to have a
reactive firewall which will block a port and IP address after a fixed
number of unsuccesful attempts, typically 2. This of course would need to
be cleared every now and then as the data would become stale after a
while. If you wanted to block OS probes you could leave the addresses
there, but most OZ ISPs have reusable, dynamic IPs. If you don't, you'll
find yourself in an ever decreasing number of friends. 
>   
> You don't free up any bandwidth to users by blocking IPs, they will
still scan and probe and use your bandwidth. If someone wanted to launch a
Denial of Service attack on you, they just hammer your machine, blocked or
not, it will saturate your link very easily. What's worse is, if you're on
a metered connection, you pay for the traffice regardless. 
>   
>   
> My 2 cents worth. 
>   
> Serge 
> VK4SB 
>   
>
--------------------------------------------------------------------------
- 
>   
> Yes, well Hamish, Darryl, Chris, 
> 
> I'm sure there'll be a lot of holes in the following and probably a lot
of reasons to change my evil ways, but this system works for me. 
> 
> As I've always felt nobody outside of my network has a right to poke
around my ports, they'll stay blocked.  I leave forwarding access to the
information servers on my DMZ open, as I do for the LaBrea tarpit I run
for those insidious Gnutella and Kazza scanners.  Outbound is open on
selected ports so there's no problem with my users accessing the rest of
the world. If it isn't work related... they shouldn't be there. Right?  
> 
> The logs show multiple port access from multiple source ports from the
same machines/subnets, so I'd say there's the results of a lot of Trojan
and worm traffic coming from nodes on 202, 218, 81, etc. It's easier for
me to block the subnet and pinhole 202 users who have a genuine need for
access or if I get a complaint from one of my users who's having trouble
accessing a site.  As soon as I blocked 202 and 81, the inbound traffic
dropped by 35% which, of course, freed up bandwidth for my outbound
users...  
> 
> Yes Chris, I used to have huge lists of specific blocked  IP addresses
which I updated to the firewall on a daily basis..  And whois gets a good
beating too. 
> 
> Too hard.. took too much time out of the day.  Now, at the very most, I
do a xxx.xxx.0.0/16 block and  let the rest through.  Believe me, it's
easier to open the one-off address than maintaining long lists of blocked
IP addresses.  Also, I'll agree that  ISC is a good resource, but it
doesn't reflect the traffic sources I see here.  
> 
> As for APRS, all access is via RF....  The best firewall is air  :-)

> 
> And Darryl... 20.30 is very accessible from my network.. Your blog  read
well.. What aircraft do you have?  (Hmm, off topic, sorry) 
> 
> Cheers, 
> 
> Alex -VK1AC 
> 
> ozaprs-request at marconi.ics.mq.edu.au wrote: 



------------------------------



Message: 

3

Date: Wed, 27 Apr 2005 14:32:26 

+1000

From: Hamish Moffatt  <mailto:hamish at cloud.net.au> <hamish at cloud.net.au>

Subject: Re: [OZAPRS] Re: 202 

Subnet

To: ozaprs at marconi.ics.mq.edu.au

Message-ID:  <mailto:20050427043226.GA28049 at cloud.net.au>
<20050427043226.GA28049 at cloud.net.au>

Content-Type: text/plain; 

charset=us-ascii



On Wed, Apr 27, 2005 at 02:21:38PM +1000, Alex Colquitt 

wrote:

  

Yep, 202 covers India too. I've just 

blocked the whole subnet at my 



firewall.

They generate most of the net traffic in these 

parts.

    

202 & 203 can be all over Asia including 

Australia.

If you block all of 202 you will be blocking 

Australians.



Hamish

  


------- End of Original Message ------- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050429/23e36290/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT06781.txt
Url: http://second.aprs.net.au/pipermail/ozaprs/attachments/20050429/23e36290/attachment.txt 


More information about the Ozaprs mailing list