The only firewall rules I've done on the MikroTik are for the persistent hackers which show up in the logs. For specific ports and protocols, I expect something like this would be a start: /ip firewall filter add action=drop chain=input comment="reject ssh" disabled=no port=22 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject https" disabled=no port=443 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject ftps-data" disabled=no port=989 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject ftps" disabled=no port=990 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject telnets" disabled=no port=992 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject imaps" disabled=no port=993 protocol=tcp /ip firewall filter add action=drop chain=input comment="reject pop3s" disabled=no port=995 protocol=tcp Has anyone experimented with this and have a more complete set of rules? Thanks, Steve John D. Hays wrote on 3/16/21 9:09 AM:
Put a firewall filter for in for ports and protocols using encryption.
On Tue, Mar 16, 2021, 08:42 Steve - WA7PTM<psdr-list@aberle.net> wrote:
Thanks Aaron. I fully understand what SSL/TLS is, but am trying to zero in on how to avoid it on my HamWAN connection. Unfortunately, the sneaky protocol translations on the back end will only continue, and we just need to be know which software to stop using when things are not obvious on the front end.
Steve
Aaron Taggert wrote on 3/16/21 8:26 AM:
On the authentication/integrity side... FCC says no encryption so we can all hear what you're on about. Ham would not be much fun if all you heard was encrypted pseudo noise. SSL/TLS authentication is a bit like me sending you a list of 100 words and asking you to tell me word 45. Everything is in the clear, but I can authenticate that whomever is at the other end at least has the right list. Another SSL/TLS feature is integrity, meaning the whole message is received. They would be like saying I sent 3421 characters CW 786 of them were vowels. Again everybody can hear what we're saying but it would be difficult to impersonate the sender (or receiver) or change the message.
On Tue, Mar 16, 2021, 6:32 AM Steve - WA7PTM<psdr-list@aberle.net> wrote:
If we separate Winlink (the system) from Winlink Express (the client program), is a SSL connection also the case with the other six clients listed on thehttps://winlink.org/ClientSoftware page when used in telnet mode?
Steve
Scott Currie wrote on 3/15/21 10:06 PM:
Yeah, I discussed this with the WDT, and the issue with using HamWAN or ARDEN. I had asked if we could force a non-SSL connection to the CMS. They have been under pressure from AWS to switch to all SSL connections, so they had to make the change. They did commit to leaving the client or gateway connection to RMS Relay as non-SSL, so that is why we have suggested having a regional instance of RMS Relay on HamWAN that the RMS Gateways and clients could point to. Backend of the RMS Relay would then connect to the CMS over SSL on a hardened Internet connection (like at a county EOC or the State EOC), or even HF forwarding if the Internet is down.
-Scott
On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas<stephen@kangas.com> wrote:
Scott, thanks for that update, interesting. “Telnet” is a misnomer in this WinLink instance, as that port 22 protocol is historically and normally unencrypted, and widely understood in the industry as such (whereas SSH is encrypted). It looks like the email client is connecting locally to an RMS Relay in that mode, which then connects to the CMS on the internet.
--Stephen W9SK
*From:* PSDR<psdr-bounces@hamwan.org> *On Behalf Of *Scott Currie *Sent:* Monday, March 15, 2021 5:56 PM *To:* Puget Sound Data Ring<psdr@hamwan.org> *Subject:* Re: [HamWAN PSDR] Newbie
This is not entirely true. Winlink does use TLS/SSL connections for some things. The normal telnet connection is now SSL (will fallback to non-SSL if the connection fails). Also, RMS Gateway to the CMS is now SSL. Telnet P2P and telnet to RMS Relay is not SSL. I believe updates are also SSL now.
Winlink Express Link Test:
Test started 2021/03/16 00:52 UTC
Testing CMS telnet connection to cms.winlink.org through port 8772... Successfully connected to a CMS through port 8772 in 253 Milliseconds Testing CMS SSL telnet connection to cms.winlink.org through port 8773... Successfully connected to a CMS through port 8773 in 311 Milliseconds Testing API service access through port 443 to api.winlink.org... Successfully performed API service to api.winlink.org through port 443 in 756 Milliseconds
Testing Autoupdate server access through port 443 to autoupdate2.winlink.org... Successfully checked autoupdate server through port 443 in 439 Milliseconds
Testing connection to web site -www.winlink.org:443 Successfully connected towww.winlink.org through port 443 in 47 Milliseconds
Testing FTP connection to SFI site - ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt Successfully connected to ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt through port 20/21 in 1522 Milliseconds
Test completed successfully.
-Scott, NS7C