[HamWAN PSDR] Avoiding encryption (was Newbie)

John D. Hays john at hays.org
Tue Mar 16 11:23:35 PDT 2021 

Don't forget *forward* and *output* rules.

On Tue, Mar 16, 2021 at 9:41 AM Steve - WA7PTM <psdr-list at aberle.net> wrote:

> The only firewall rules I've done on the MikroTik are for the persistent
> hackers which show up in the logs.  For specific ports and protocols, I
> expect something like this would be a start:
>
> /ip firewall filter add action=drop chain=input comment="reject ssh"
> disabled=no port=22 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject https"
> disabled=no port=443 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject
> ftps-data" disabled=no port=989 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject ftps"
> disabled=no port=990 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject telnets"
> disabled=no port=992 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject imaps"
> disabled=no port=993 protocol=tcp
> /ip firewall filter add action=drop chain=input comment="reject pop3s"
> disabled=no port=995 protocol=tcp
>
> Has anyone experimented with this and have a more complete set of rules?
>
> Thanks,
> Steve
>
>
> John D. Hays wrote on 3/16/21 9:09 AM:
> > Put a firewall filter for in for ports and protocols using encryption.
> >
> > On Tue, Mar 16, 2021, 08:42 Steve - WA7PTM<psdr-list at aberle.net>  wrote:
> >
> >> Thanks Aaron.  I fully understand what SSL/TLS is, but am trying to zero
> >> in on how to avoid it on my HamWAN connection.  Unfortunately, the
> >> sneaky protocol translations on the back end will only continue, and we
> >> just need to be know which software to stop using when things are not
> >> obvious on the front end.
> >>
> >> Steve
> >>
> >>
> >> Aaron Taggert wrote on 3/16/21 8:26 AM:
> >>> On the authentication/integrity side... FCC says no encryption so we
> can
> >>> all hear what you're on about. Ham would not be much fun if all you
> heard
> >>> was encrypted pseudo noise. SSL/TLS authentication is a bit like me
> >> sending
> >>> you a list of 100 words and asking you to tell me word 45. Everything
> is
> >> in
> >>> the clear, but I can authenticate that whomever is at the other end at
> >>> least has the right list. Another SSL/TLS feature is integrity, meaning
> >> the
> >>> whole message is received. They would be like saying I sent 3421
> >> characters
> >>> CW 786 of them were vowels. Again everybody can hear what we're saying
> >> but
> >>> it would be difficult to impersonate the sender (or receiver) or change
> >> the
> >>> message.
> >>>
> >>> On Tue, Mar 16, 2021, 6:32 AM Steve - WA7PTM<psdr-list at aberle.net>
> >> wrote:
> >>>> If we separate Winlink (the system) from Winlink Express (the client
> >>>> program), is a SSL connection also the case with the other six clients
> >>>> listed on thehttps://winlink.org/ClientSoftware  page when used in
> >>>> telnet mode?
> >>>>
> >>>> Steve
> >>>>
> >>>>
> >>>> Scott Currie wrote on 3/15/21 10:06 PM:
> >>>>> Yeah, I discussed this with the WDT, and the issue with using HamWAN
> or
> >>>>> ARDEN. I had asked if we could force a non-SSL connection to the CMS.
> >>>> They
> >>>>> have been under pressure from AWS to switch to all SSL connections,
> so
> >>>> they
> >>>>> had to make the change. They did commit to leaving the client or
> >> gateway
> >>>>> connection to RMS Relay as non-SSL, so that is why we have suggested
> >>>> having
> >>>>> a regional instance of RMS Relay on HamWAN that the RMS Gateways and
> >>>>> clients could point to. Backend of the RMS Relay would then connect
> to
> >>>> the
> >>>>> CMS over SSL on a hardened Internet connection (like at a county EOC
> or
> >>>> the
> >>>>> State EOC), or even HF forwarding if the Internet is down.
> >>>>>
> >>>>> -Scott
> >>>>>
> >>>>> On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas<stephen at kangas.com>
> >>>> wrote:
> >>>>>> Scott, thanks for that update, interesting.  “Telnet” is a misnomer
> in
> >>>>>> this WinLink instance, as that port 22 protocol is historically and
> >>>>>> normally unencrypted, and widely understood in the industry as such
> >>>>>> (whereas SSH is encrypted).   It looks like the email client is
> >>>> connecting
> >>>>>> locally to an RMS Relay in that mode, which then connects to the CMS
> >> on
> >>>> the
> >>>>>> internet.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --Stephen W9SK
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> *From:* PSDR<psdr-bounces at hamwan.org>  *On Behalf Of *Scott Currie
> >>>>>> *Sent:* Monday, March 15, 2021 5:56 PM
> >>>>>> *To:* Puget Sound Data Ring<psdr at hamwan.org>
> >>>>>> *Subject:* Re: [HamWAN PSDR] Newbie
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> This is not entirely true. Winlink does use TLS/SSL connections for
> >> some
> >>>>>> things. The normal telnet connection is now SSL (will fallback to
> >>>> non-SSL
> >>>>>> if the connection fails). Also, RMS Gateway to the CMS is now SSL.
> >>>> Telnet
> >>>>>> P2P and telnet to RMS Relay is not SSL. I believe updates are also
> SSL
> >>>> now.
> >>>>>>
> >>>>>>
> >>>>>> Winlink Express Link Test:
> >>>>>>
> >>>>>> Test started 2021/03/16 00:52 UTC
> >>>>>>
> >>>>>> Testing CMS telnet connection to cms.winlink.org through port
> 8772...
> >>>>>>      Successfully connected to a CMS through port 8772 in 253
> >> Milliseconds
> >>>>>> Testing CMS SSL telnet connection to cms.winlink.org through port
> >>>> 8773...
> >>>>>>      Successfully connected to a CMS through port 8773 in 311
> >> Milliseconds
> >>>>>> Testing API service access through port 443 to api.winlink.org...
> >>>>>>      Successfully performed API service to api.winlink.org through
> >> port
> >>>> 443
> >>>>>> in 756 Milliseconds
> >>>>>>
> >>>>>> Testing Autoupdate server access through port 443 to
> >>>>>> autoupdate2.winlink.org...
> >>>>>>      Successfully checked autoupdate server through port 443 in 439
> >>>>>> Milliseconds
> >>>>>>
> >>>>>> Testing connection to web site -www.winlink.org:443
> >>>>>>      Successfully connected towww.winlink.org  through port 443 in
> 47
> >>>>>> Milliseconds
> >>>>>>
> >>>>>> Testing FTP connection to SFI site -
> >>>>>> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
> >>>>>>      Successfully connected to
> >>>> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
> >>>>>> through port 20/21 in 1522 Milliseconds
> >>>>>>
> >>>>>> Test completed successfully.
> >>>>>>
> >>>>>> -Scott, NS7C
> >>>>>>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
>


-- 
John D. Hays
Kingston, WA
K7VE / WRJT-215
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20210316/22c7c23e/attachment.html>

More information about the PSDR mailing list