[nos-bbs] WHY you should firewall your JNOS system :]

Mon Apr 17 20:57:26 EDT 2023

Hi Jay, and group,

I just wanted to illustrate how much traffic JNOS can potentially
receive if direct on the internet. Even if there are no listeners
on any of the ports, that traffic still needs to be processed by
JNOS, and if you consider the type of kernel JNOS uses, it takes
away time JNOS could be spending on 'more important' things.

Even if JNOS has to do the firewalling with ip access or tcp access,
again, that's CPU cycles wasted on traffic that doesn't even need to
get to JNOS. Even if there are no listeners, it still has to process
all of it to some level.

Also, I don't even trust ports for which JNOS has listeners enabled,
exposing to the open internet, one has no idea what kind of payloads
are being attempted, and the potential for buffer overruns. It's old
code, I'm sure there are cases where it's possible, and my JNOS does
crash a bit more when wide open exposed to the internet. It is quite
the challenge to find these vunerabilities in the code (my goal).

The feature is a compile time, meant for debugging, I should have
been more clear about it, there is no flag, but you have to define
something in config.h anyways for it to appear, so no harm done.

It would be more useful with a flag of course, agreed, we'll see.

Maiko / VE4KLM

On 2023-04-17 4:20 p.m., Jay wrote:
> Greetings,
>     So what?   There was no port open to 'listen' and process that 
> requested TCP session and ultimately the packet is dropped.  Isn't that 
> exactly what a firewall does?
> 
>     By having a firewall closer to the Internet from the Jnos box, the 
> dropping of packets is done sooner.  Is JNOS unable to handle the CPU load?
> 
>     Nice to have the "no listener' feature, BTW.  But can it be turned 
> off so we don't waste disk space and file access time, logging 
> unneccesary events?
> 
>        --- Jay  WB8TKL
> 
> 
> On Mon, 17 Apr 2023, Maiko Langelaar (Personal) wrote:
> 
>> Good day,
>>
>> Just to give people an idea, new 'no listener' logging enabled ...
>>
>> 21:51:44  - JNOS 2.0o.2dev (Linux) was started
>>
>> 21:52:15 network: 120.92.194.93:44677 - no TCP (8090) listener
>> 21:52:28 network: 5.8.18.8:40533 - no TCP (55792) listener
>> 21:53:48 network: 94.102.61.47:44762 - no TCP (3175) listener
>> 21:53:53 network: 149.18.73.222:5146 - no UDP (5060) listener
>> 21:54:42 network: 94.102.61.47:32810 - no TCP (3174) listener
>> 21:55:43 network: 47.95.9.97:34454 - no TCP (6379) listener
>> 21:55:52 network: 89.248.165.59:40053 - no TCP (4200) listener
>> 21:56:24 network: 89.248.165.221:48495 - no TCP (55047) listener
>> 21:56:44 network: 89.248.165.189:45605 - no TCP (64005) listener
>> 21:57:39 network: 194.26.135.31:52487 - no TCP (3573) listener
>> 21:58:00 network: 121.196.11.130:56809 - no TCP (33386) listener
>> 21:58:16 network: 89.248.165.14:42582 - no TCP (32310) listener
>> 21:58:29 network: 167.248.133.138:2687 - no TCP (18080) listener
>> 21:58:50 network: 180.182.236.146:5212 - no TCP (80) listener
>> 21:58:56 network: 193.35.18.12:40648 - no TCP (1000) listener
>> 21:59:05 network: 122.114.197.7:33120 - no TCP (6379) listener