# Gateways-Access-FAQ # # Start of ACCESS.RC file # *********************** # NB: The IP ACCESS and TCP ACCESS frame work is based on IP ACCESS and TCP # ACCESS control files shown below written by VE3RKS at VE3UOW and by # VE3PNX at VE3RPI. # # - This file should be sourced into your autoexec.nos file after all ports # have been attached and defined. # - This file also contains a handy summary of what TCP/UDP ports are # commonly used. # - This file contains information on the use of TCP ACCESS and IP ACCESS # - All lines begin with # symbols. This is to allow this file to be # sourced into your autoexec.nos after being edited for you specific setup. # Lines that do not begin with # symbols are valid NOS IP and TCP ACCESS # commands. # # Ports of interest for both UDP and TCP # ************************************** # 1 - 3599 - SERVER PORTS limit access based on local rules UDP and TCP # #*************************************************************************** # 7 - ECHO # 9 - DISCARD # 20 - FTP-DATA # 21 - FTP-CONTROL # 23 - TELNET # 25 - SMTP # 57 - SECONDARY TELNET # 67 - BOOTP # 79 - FINGER # 87 - TTYLINK [Operator chat] # 97 - AXIP/IPIP/IPTUNNEL # 109 - POP2 # 110 - POP3 # 119 - NNTP # 513 - RLOGIN/RWHO # 525 - TIME DAEMON # 1234 - REMOTE # 1235 - CALLSIGN DB # 3600 - CONVERS [Only AMPR.ORG domain should have access] # 3601 - LZW CONVERS [Only AMPR.ORG domain should have access] # #*************************************************************************** # 1050 - 32768 - REPLY PORTS should be accessable to all <= very important # #*************************************************************************** # # TCP ACCESS # ********** # TCP ACCESS is used to limit access to certain servers accessable by # TCP/TELNET to specific ports. For example you may want to allow # access to the SMTP server in your machine from all machines AMATEUR # and NON-AMATEUR. # # TCP access stops a connection to a server from being built at only # the machine at which it is installed. If you want to stop a gateway # from routing TCP/IP packets from specific addresses to specific # addresses you need to use the IP ACCESS code! # # TCP ACCESS WHAT FROM LOW HIGH # ### ###### ###### ############### ##### ##### # # Permit all AMPR.ORG and LOCAL domains to ports 1 - 3601 tcp access permit 44/8 1 3601 tcp access permit 127.0.0.1 1 3601 # # Do NOT allow inbound SMTP connectins from the Internet tcp access deny all 25 25 # # Permit all to ports 1 - 3599 tcp access permit all 1 3599 # # Permit all access to ports 3602 - 32768 tcp access permit all 3602 32768 # # Deny all access to CONVERS ports 3600 and 3601 tcp access deny all 3600 3601 # # # NOTES: The preceding TCP ACCESS code is read in order. TOP down! # Order is important. In reading from top down the first rule that # satisfies the origination address and port requirments is the one # used. So you should place excludes before includes for specific # originating addresses then followed by global [all] includes or # excludes. # # Example: # tcp access permit all 1 32768 # tcp access deny 167.23.43.1 3600 3601 <= should be first line # # This would not deny 167.23.43.1 access to convers server as the first # rule would satisfy the test to allow, but reversing the order would! # # # IP ACCESS # ********* # IP ACCESS is an important bit of code for a INTERNET/AMPRnet Gateway # as it can be used to selectively allow or disallow the routing of # TCP/IP packets based on source ip address, destination ip address, # packet type [udp/tcp/..], UDP or TCP port number and interface port. # # For most gateways you would like to only pass AMPR.ORG originated # ip address to other AMPR.ORG ip address (like UK and AUSTRALIAN LAW). # Exceptions might be where local law allows Amateurs to originate to # anywhere (including non-amateur destinations) as the replys are # technically under the control of the originator (like USA and CANADIAN # law). # # The idea behind IP ACCESS is to set up rules that will allow or deny # routing of packets. Unlike the TCP ACCESS command, IP ACCESS does not # restrict access to servers at the machine that is running this code. It # does however restrict the gatewaying of IP packets accross interface # ports. # # Valid PROTOCOLS are ICMP, UDP, TCP, and ANY (every thing else). Both # ICMP and ANY do not allow specific port restrictions as port numbers # are not really used for the other TCP/IP protocols. # # WHAT = # PROT = # PORT = ATTACHED INTERFACE/PORT # LOW = TCP or UDP low port number # HIGH = TCP or UDP high port number # # Below I use the following pseudo PORT names: # AX0 = ax25 rf port # AX1 = ax25 rf port # AX3 = AXIP psuedo ax25 port # BBS = SLIP port to an attached bbs # MODEM = SLIP port to a telphone modem # ETH0 = PACKET interface to ethernet card # ENCAP = ENCAP routing interface # # # IP ACCESS WHAT PROT SOURCE DESTINATION PORT low high # ## ###### ###### #### ############# ############### ##### ###### ###### ip access permit icmp 44/8 all ax0 1 32768 ip access permit icmp 44/8 all ax1 1 32768 # ip access permit icmp all all ax3 1 32768 # ip access permit icmp all all bbs 1 32768 ip access permit icmp all all eth0 1 32768 ip access permit icmp all all encap 1 32768 # ip access permit icmp all all modem 1 32768 # ip access permit udp 44/8 all ax0 1 32768 ip access permit udp 44/8 all ax1 1 32768 # # ip access permit udp all 44.bbb.ccc.ddd ax2 1 32768 # The above line allow a machine 44.bbb.ccc.ddd to receive UDP datagrams # from any source over a channel that would normally only allow 44/8 sources # # ip access permit udp all all ax3 1 32768 # ip access permit udp all all bbs 1 32768 ip access permit udp all all eth0 1 32768 ip access permit udp all all encap 1 32768 # ip access permit udp all all modem 1 32768 # # TCP will allow TCP client-server packets to be passed # ip access permit tcp 44/8 all ax0 1 32768 ip access permit tcp all 44/8 ax0 1000 3599 ip access permit tcp all 44/8 ax0 3602 32768 ip access permit tcp 44/8 all ax1 1 32768 # # ip access permit tcp all 44.bbb.ccc.ddd ax1 25 25 # The above line allow a machine 44.bbb.ccc.ddd to receive incoming SMTP # from any source over a channel that would normally only allow 44/8 sources # # ip access permit tcp all all ax3 1 32768 # ip access permit tcp all all bbs 1 32768 ip access permit tcp all all eth0 1 32768 ip access permit tcp all all encap 1 32768 # ip access permit tcp all all modem 1 32768 # # ANY will allow AXIP, IPIP etc! # # ip access permit any 44/8 44.bbb.ccc.ddd ax1 1 32768 # The above line allow a machine 44.bbb.ccc.ddd to receive incoming axip # from 44/8 sources over a channel that would normally not allow axip # # ip access permit any all all ax3 1 32768 # ip access permit any all all bbs 1 32768 ip access permit any all all eth0 1 32768 ip access permit any all all encap 1 32768 # ip access permit any all all modem 1 32768 # # The default rule is to deny all that are not allowed above. # # # ---end of file access.rc--- #