You are here

RM-11831

13 posts / 0 new
Last post
ke7xo
RM-11831

While FCC petition RM-11831 is primarily a vendetta against Winlink and SCS, it does bring into question how well does MESH monitor traffic?  
 
A local user has a tunnel/voip link to a local business primarily selling amateur radio equipment.   How do I know my nodes aren’t being used to facilitate business?    
 
A local user has graciously allowed internet access thru one of his nodes.   How do I know my nodes aren’t being used to facilitate encrypted data from CNN?
 
Is there a way to monitor traffic going thru my nodes?    How about traffic for the past 24 hours?   What’s the progress of the Black List?   
 
Richard     ke7xo

AA7AU
AA7AU's picture
As an aside re: use of tunnels

As a reminder about basic use of tunnels, as found in the AREDN docs section at https://arednmesh.readthedocs.io/en/latest/arednGettingStarted/advanced_config.html : "Unless you have a specific need for this type of network connection, it is recommended that you do not install the Tunnel Server feature ...". however tunnels *might* be used as a  " ... temporary means of connecting mesh islands when RF links have yet to be established. They should be removed as soon as RF links are operational. Remember that AREDN® is first and foremost an emergency communication resource, so it’s likely that Internet-dependent links and the assets they provide will not be available during a disaster. Their presence could create a false expectation for served agency personnel, so the network will fail to meet their expectations when tunneled resources become unavailable during a disaster."

Bottom line, as I read it: use of tunnels as regular network connections run counter to the intent of AREDN mesh networks.

Now back to the OP's original questions: "How do I know my nodes aren’t being used to facilitate ... ?  Is there a way to monitor traffic going thru my nodes? ...  What’s the progress of the Black List?"

- Don - AA7AU
 

K6AH
K6AH's picture
Original Questions...
  • "How do I know my nodes aren’t being used to facilitate ... ?  You don't.  There are several ways to view the FCC's intent in Part 97.  These opinions spawn passionate arguments on both sides.  Since most of us are not lawyers, no one's opinion ever wins the day.  There are a multitude of resources available for you to investigate this yourself and come to your own conclusions on whether Internet access and its security protocols such as Transport Layer Security (TLS) are suitable for the ham bands.
  • Is there a way to monitor traffic going thru my nodes? ...    No, but if you think it would be valuable, put in a feature request for it.
  • What’s the progress of the Black List?"  You can follow Issue #211 yourself.  It's still in the discussion phase.

Andre, K6AH

ke7xo
issue #211

I read the comments on #211.     it seems as southern California goes so does the rest of the world?    

currently I have two options if a user is violating part 97 and/or local policy...

ignore it (and jeopardize loosing my license with part 97)      or      shut down and take up sitting on a park bench watching the gals walk by

(asking politely doesn't work with individuals who feel they have the right to do as they wish)

Winlink has the option to lock out those violating rules... at the sysop level, and if that fails, the national level.

IRLP has options to lock out those not following policy..    so does BPQ

Richard     ke7xo

AE6XE
AE6XE's picture
Blocking encrypted data

"How do I know my nodes aren’t being used to facilitate encrypted data?"

You can block the typical encrypted data from being routed though your mesh node over RF by creating a file on the mesh node, "/etc/local/mesh-firewall/59-custom-rules" and putting in this file the command examples below.   This file is preserved across a sysupgrade to newer firmware.
 

        iptables -N mesh_block_known_encryption
        iptables -I FORWARD -j mesh_block_known_encryption
        iptables -I OUTPUT -j mesh_block_known_encryption
        iptables -I INPUT -j mesh_block_known_encryption
 
        # SSH
        iptables -I mesh_block_known_encryption -p tcp --dport 22 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 22 -i wlan0 -j REJECT
 
        # HTTPS
        iptables -I mesh_block_known_encryption -p tcp --dport 443 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 443 -i wlan0 -j REJECT
 
        # SMTP over SSL
        iptables -I mesh_block_known_encryption -p tcp --dport 465 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 465 -i wlan0 -j REJECT
 
        # IMAP over SSL
        iptables -I mesh_block_known_encryption -p tcp --dport 993 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 993 -i wlan0 -j REJECT
 
        # POP3 over SSL
        iptables -I mesh_block_known_encryption -p tcp --dport 995 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 995 -i wlan0 -j REJECT
 
        # NODE SSH
        iptables -I mesh_block_known_encryption -p tcp --dport 2222 -o wlan0 -j REJECT
        iptables -I mesh_block_known_encryption -p tcp --dport 2222 -i wlan0 -j REJECT
 


Joe AE6XE

ke7xo
thanks Joe,

thanks Joe,

I'll see what damage I can do when I get home this afternoon.

Richard   ke7xo

n9lya
Winlink encryots NOTHING...

Winlink encryits NOTHING... It is Compressed using a 30 year old public method called b2f compression also used by FBB BPQ and other BBS software. and TNCs... So that is how you know.. Encryption is and always has been illegal and is not used by Ham Radio or WINLINK...

ke7xo
Jerry,

Jerry,

we're discussing encryption from HTTPS sites using RF MESH nodes.

Richard   ke7xo

n9lya
Thanks Richard.. Understood.

Thanks Richard.. Understood.

AE6XE
AE6XE's picture
Comparison examples using

Comparison examples using different Ham Radio technologies to consider:

Winlink:   someone sends an attachment in the email.  The attachment is encrypted.
HF SSB:   someone repeats a message from hospital staff -- the patient identification is obscured.
AREDN:   The Red Cross does a VPN link from an incident site over the top of AREDN back to HQ.

Joe AE6XE

K7DXS
Except this is far from

Except this is far from sufficient. Anything can be used on any port, and in fact often is used on ports other than those listed, i.e. 110, 143, and 587. But if you block these you block unencrypted email as well. The only way to block all encryption is to either block EVERYTHING or perform Deep Packet Inspection, which these units don't have the horsepower to do.

Personally, I think that the only people who should be liable for encrypted traffic are those who originate it, and not those who automatically relay it.

K1DOS
Sorry if this is a dumb

Sorry if this is a dumb question but how does one create this file and add it to a node?  Is there something in GUI or is this somekind of command-line thing?

Respectfully,

Hank
 

AE6XE
AE6XE's picture
Hank,  one option requires

Hank,  one option requires knowledge of the linux shell command line and the 'vi' editor.   One would telnet into the node and from the command line put the contents into the file.     Alternatively,  you can prepare the file on your desktop, then use "scp" to copy the file to the appropriate location on the mesh node.  On windows there are several programs available to install - winscp, putty, and more.  From linux to linux the command would look like this:

scp -P 2222 59-custom-rules root@localnode.local.mesh:/etc/local/mesh-firewall/59-custom-rules

Joe AE6XE

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer