[HamWAN PSDR] Avoiding encryption (was Newbie)

Tue Mar 16 09:41:16 PDT 2021

The only firewall rules I've done on the MikroTik are for the persistent 
hackers which show up in the logs.  For specific ports and protocols, I 
expect something like this would be a start:

/ip firewall filter add action=drop chain=input comment="reject ssh" 
disabled=no port=22 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject https" 
disabled=no port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject 
ftps-data" disabled=no port=989 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject ftps" 
disabled=no port=990 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject telnets" 
disabled=no port=992 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject imaps" 
disabled=no port=993 protocol=tcp
/ip firewall filter add action=drop chain=input comment="reject pop3s" 
disabled=no port=995 protocol=tcp

Has anyone experimented with this and have a more complete set of rules?

Thanks,
Steve

John D. Hays wrote on 3/16/21 9:09 AM:
> Put a firewall filter for in for ports and protocols using encryption.
> 
> On Tue, Mar 16, 2021, 08:42 Steve - WA7PTM<psdr-list at aberle.net>  wrote:
> 
>> Thanks Aaron.  I fully understand what SSL/TLS is, but am trying to zero
>> in on how to avoid it on my HamWAN connection.  Unfortunately, the
>> sneaky protocol translations on the back end will only continue, and we
>> just need to be know which software to stop using when things are not
>> obvious on the front end.
>>
>> Steve
>>
>>
>> Aaron Taggert wrote on 3/16/21 8:26 AM:
>>> On the authentication/integrity side... FCC says no encryption so we can
>>> all hear what you're on about. Ham would not be much fun if all you heard
>>> was encrypted pseudo noise. SSL/TLS authentication is a bit like me
>> sending
>>> you a list of 100 words and asking you to tell me word 45. Everything is
>> in
>>> the clear, but I can authenticate that whomever is at the other end at
>>> least has the right list. Another SSL/TLS feature is integrity, meaning
>> the
>>> whole message is received. They would be like saying I sent 3421
>> characters
>>> CW 786 of them were vowels. Again everybody can hear what we're saying
>> but
>>> it would be difficult to impersonate the sender (or receiver) or change
>> the
>>> message.
>>>
>>> On Tue, Mar 16, 2021, 6:32 AM Steve - WA7PTM<psdr-list at aberle.net>
>> wrote:
>>>> If we separate Winlink (the system) from Winlink Express (the client
>>>> program), is a SSL connection also the case with the other six clients
>>>> listed on thehttps://winlink.org/ClientSoftware  page when used in
>>>> telnet mode?
>>>>
>>>> Steve
>>>>
>>>>
>>>> Scott Currie wrote on 3/15/21 10:06 PM:
>>>>> Yeah, I discussed this with the WDT, and the issue with using HamWAN or
>>>>> ARDEN. I had asked if we could force a non-SSL connection to the CMS.
>>>> They
>>>>> have been under pressure from AWS to switch to all SSL connections, so
>>>> they
>>>>> had to make the change. They did commit to leaving the client or
>> gateway
>>>>> connection to RMS Relay as non-SSL, so that is why we have suggested
>>>> having
>>>>> a regional instance of RMS Relay on HamWAN that the RMS Gateways and
>>>>> clients could point to. Backend of the RMS Relay would then connect to
>>>> the
>>>>> CMS over SSL on a hardened Internet connection (like at a county EOC or
>>>> the
>>>>> State EOC), or even HF forwarding if the Internet is down.
>>>>>
>>>>> -Scott
>>>>>
>>>>> On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas<stephen at kangas.com>
>>>> wrote:
>>>>>> Scott, thanks for that update, interesting.  “Telnet” is a misnomer in
>>>>>> this WinLink instance, as that port 22 protocol is historically and
>>>>>> normally unencrypted, and widely understood in the industry as such
>>>>>> (whereas SSH is encrypted).   It looks like the email client is
>>>> connecting
>>>>>> locally to an RMS Relay in that mode, which then connects to the CMS
>> on
>>>> the
>>>>>> internet.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --Stephen W9SK
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* PSDR<psdr-bounces at hamwan.org>  *On Behalf Of *Scott Currie
>>>>>> *Sent:* Monday, March 15, 2021 5:56 PM
>>>>>> *To:* Puget Sound Data Ring<psdr at hamwan.org>
>>>>>> *Subject:* Re: [HamWAN PSDR] Newbie
>>>>>>
>>>>>>
>>>>>>
>>>>>> This is not entirely true. Winlink does use TLS/SSL connections for
>> some
>>>>>> things. The normal telnet connection is now SSL (will fallback to
>>>> non-SSL
>>>>>> if the connection fails). Also, RMS Gateway to the CMS is now SSL.
>>>> Telnet
>>>>>> P2P and telnet to RMS Relay is not SSL. I believe updates are also SSL
>>>> now.
>>>>>>
>>>>>>
>>>>>> Winlink Express Link Test:
>>>>>>
>>>>>> Test started 2021/03/16 00:52 UTC
>>>>>>
>>>>>> Testing CMS telnet connection to cms.winlink.org through port 8772...
>>>>>>      Successfully connected to a CMS through port 8772 in 253
>> Milliseconds
>>>>>> Testing CMS SSL telnet connection to cms.winlink.org through port
>>>> 8773...
>>>>>>      Successfully connected to a CMS through port 8773 in 311
>> Milliseconds
>>>>>> Testing API service access through port 443 to api.winlink.org...
>>>>>>      Successfully performed API service to api.winlink.org through
>> port
>>>> 443
>>>>>> in 756 Milliseconds
>>>>>>
>>>>>> Testing Autoupdate server access through port 443 to
>>>>>> autoupdate2.winlink.org...
>>>>>>      Successfully checked autoupdate server through port 443 in 439
>>>>>> Milliseconds
>>>>>>
>>>>>> Testing connection to web site -www.winlink.org:443
>>>>>>      Successfully connected towww.winlink.org  through port 443 in 47
>>>>>> Milliseconds
>>>>>>
>>>>>> Testing FTP connection to SFI site -
>>>>>> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
>>>>>>      Successfully connected to
>>>> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
>>>>>> through port 20/21 in 1522 Milliseconds
>>>>>>
>>>>>> Test completed successfully.
>>>>>>
>>>>>> -Scott, NS7C
>>>>>>