Firewall Changes for HamWAN
Hello All! Tonight myself and the other admins have spent some time working on improving the firewall implemented at our edge routers to help improve security and compliance, and I installed them on both edges a short time ago. We are now at this point implementing a default block of traffic coming in from the internet at large, unless specifically exempted. What does this mean for you? 1. For most things, you should not notice this change at all. Anything you request from your hamwan connection should work fine as the response will be related to your connection. 2. If you want to be able to reach a service you have on your hamwan connection from the internet at large, please let myself or another admin know, and we can add that to the known exceptions. This is a temporary state until we can get a web interface for managing your HamWAN DNS and firewall rules. 3. If you do notice any problems, please reach out to us. The best is via the #hamwan channel on irc.freenode.net, but email will work as well. Thanks, Nigel K7NVH
As an update, the inbound filtering was turned off since it caused problems. We're looking into doing things differently now. Also, I would re-phrase "If you want to be able to reach a service" to just "let us know what firewall rules you'd like for your subnet/IP". If you want to define ranges of ports and stuff, that's fine. Work is on-going to automate this too, so you won't need to reach out to puny humans. --Bart On 4/24/2014 10:14 PM, Nigel Vander Houwen wrote:
Hello All!
Tonight myself and the other admins have spent some time working on improving the firewall implemented at our edge routers to help improve security and compliance, and I installed them on both edges a short time ago.
We are now at this point implementing a default block of traffic coming in from the internet at large, unless specifically exempted.
What does this mean for you? 1. For most things, you should not notice this change at all. Anything you request from your hamwan connection should work fine as the response will be related to your connection. 2. If you want to be able to reach a service you have on your hamwan connection from the internet at large, please let myself or another admin know, and we can add that to the known exceptions. This is a temporary state until we can get a web interface for managing your HamWAN DNS and firewall rules. 3. If you do notice any problems, please reach out to us. The best is via the #hamwan channel on irc.freenode.net, but email will work as well.
Thanks, Nigel K7NVH _______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
I sent this to Nigel, but for the record for 44.24.240.173 (I think you'll have more work to do than I will, if my IP address changes): 1. Inbound established connections: ALLOW 2. Inbound related connections: ALLOW 3. Inbound from 44.0.0.0/8: ALLOW 4. Inbound from 209.59.217.159: ALLOW 5. Inbound, the rest: BLACKHOLE Outbound: ALLOW No urgency. -- Dean On 2014-04-25 12:04, Bart Kus wrote:
As an update, the inbound filtering was turned off since it caused problems. We're looking into doing things differently now.
Also, I would re-phrase "If you want to be able to reach a service" to just "let us know what firewall rules you'd like for your subnet/IP". If you want to define ranges of ports and stuff, that's fine. Work is on-going to automate this too, so you won't need to reach out to puny humans.
--Bart
On 4/24/2014 10:14 PM, Nigel Vander Houwen wrote:
Hello All!
Tonight myself and the other admins have spent some time working on improving the firewall implemented at our edge routers to help improve security and compliance, and I installed them on both edges a short time ago.
We are now at this point implementing a default block of traffic coming in from the internet at large, unless specifically exempted.
What does this mean for you?
1. For most things, you should not notice this change at all. Anything you request from your hamwan connection should work fine as the response will be related to your connection. 2. If you want to be able to reach a service you have on your hamwan connection from the internet at large, please let myself or another admin know, and we can add that to the known exceptions. This is a temporary state until we can get a web interface for managing your HamWAN DNS and firewall rules. 3. If you do notice any problems, please reach out to us. The best is via the #hamwan channel on irc.freenode.net, but email will work as well.
Thanks, Nigel K7NVH
participants (3)
-
Bart Kus -
Dean Gibson AE7Q -
Nigel Vander Houwen