[nos-bbs] working IP access configuration
Jay
jjn at nuge.com
Fri Jan 16 10:24:03 EST 2026
Greetings Maiko,
On Thu, 15 Jan 2026, maiko at pcsinternet.ca wrote:
> Anyone got a working (confirmed) JNOS 'ip access' configuration ?
> This is driving me (yup) nuts !
> Maiko / VE4KLM
See attached "access3.rc"
This is what we used on the JNOS Hamgates all across the State of
Michigan. Worked VERY well for us in the days of a *closed* and
relatively safe 44Net (using IPIP Encapsulation) when the only packets
with a 44 address were assured to be from another licensed Ham somewhere
in the world. That was before BGP ruined that and now the barn doors are
wide open and a 44 packet could come from anyone, anywhere, with no idea
if they are actually a licensed Ham or not. Sad....
Hope it helps.
--- Jay WB8TKL
o Past IP Address Coordinator for 44.102/16 Michigan
-------------- next part --------------
# Gateways-Access-FAQ
#
# Start of ACCESS.RC file
# ***********************
# NB: The IP ACCESS and TCP ACCESS frame work is based on IP ACCESS and TCP
# ACCESS control files shown below written by VE3RKS at VE3UOW and by
# VE3PNX at VE3RPI.
#
# - This file should be sourced into your autoexec.nos file after all ports
# have been attached and defined.
# - This file also contains a handy summary of what TCP/UDP ports are
# commonly used.
# - This file contains information on the use of TCP ACCESS and IP ACCESS
# - All lines begin with # symbols. This is to allow this file to be
# sourced into your autoexec.nos after being edited for you specific setup.
# Lines that do not begin with # symbols are valid NOS IP and TCP ACCESS
# commands.
#
# Ports of interest for both UDP and TCP
# **************************************
# 1 - 3599 - SERVER PORTS limit access based on local rules UDP and TCP
#
#***************************************************************************
# 7 - ECHO
# 9 - DISCARD
# 20 - FTP-DATA
# 21 - FTP-CONTROL
# 23 - TELNET
# 25 - SMTP
# 57 - SECONDARY TELNET
# 67 - BOOTP
# 79 - FINGER
# 87 - TTYLINK [Operator chat]
# 97 - AXIP/IPIP/IPTUNNEL
# 109 - POP2
# 110 - POP3
# 119 - NNTP
# 513 - RLOGIN/RWHO
# 525 - TIME DAEMON
# 1234 - REMOTE
# 1235 - CALLSIGN DB
# 3600 - CONVERS [Only AMPR.ORG domain should have access]
# 3601 - LZW CONVERS [Only AMPR.ORG domain should have access]
#
#***************************************************************************
# 1050 - 32768 - REPLY PORTS should be accessable to all <= very important
#
#***************************************************************************
#
# TCP ACCESS
# **********
# TCP ACCESS is used to limit access to certain servers accessable by
# TCP/TELNET to specific ports. For example you may want to allow
# access to the SMTP server in your machine from all machines AMATEUR
# and NON-AMATEUR.
#
# TCP access stops a connection to a server from being built at only
# the machine at which it is installed. If you want to stop a gateway
# from routing TCP/IP packets from specific addresses to specific
# addresses you need to use the IP ACCESS code!
#
# TCP ACCESS WHAT FROM LOW HIGH
# ### ###### ###### ############### ##### #####
#
# Permit all AMPR.ORG and LOCAL domains to ports 1 - 3601
tcp access permit 44/8 1 3601
tcp access permit 127.0.0.1 1 3601
#
# Do NOT allow inbound SMTP connectins from the Internet
tcp access deny all 25 25
#
# Permit all to ports 1 - 3599
tcp access permit all 1 3599
#
# Permit all access to ports 3602 - 32768
tcp access permit all 3602 32768
#
# Deny all access to CONVERS ports 3600 and 3601
tcp access deny all 3600 3601
#
#
# NOTES: The preceding TCP ACCESS code is read in order. TOP down!
# Order is important. In reading from top down the first rule that
# satisfies the origination address and port requirments is the one
# used. So you should place excludes before includes for specific
# originating addresses then followed by global [all] includes or
# excludes.
#
# Example:
# tcp access permit all 1 32768
# tcp access deny 167.23.43.1 3600 3601 <= should be first line
#
# This would not deny 167.23.43.1 access to convers server as the first
# rule would satisfy the test to allow, but reversing the order would!
#
#
# IP ACCESS
# *********
# IP ACCESS is an important bit of code for a INTERNET/AMPRnet Gateway
# as it can be used to selectively allow or disallow the routing of
# TCP/IP packets based on source ip address, destination ip address,
# packet type [udp/tcp/..], UDP or TCP port number and interface port.
#
# For most gateways you would like to only pass AMPR.ORG originated
# ip address to other AMPR.ORG ip address (like UK and AUSTRALIAN LAW).
# Exceptions might be where local law allows Amateurs to originate to
# anywhere (including non-amateur destinations) as the replys are
# technically under the control of the originator (like USA and CANADIAN
# law).
#
# The idea behind IP ACCESS is to set up rules that will allow or deny
# routing of packets. Unlike the TCP ACCESS command, IP ACCESS does not
# restrict access to servers at the machine that is running this code. It
# does however restrict the gatewaying of IP packets accross interface
# ports.
#
# Valid PROTOCOLS are ICMP, UDP, TCP, and ANY (every thing else). Both
# ICMP and ANY do not allow specific port restrictions as port numbers
# are not really used for the other TCP/IP protocols.
#
# WHAT = <permit | deny | delete>
# PROT = <tcp | icmp | udp | any>
# PORT = ATTACHED INTERFACE/PORT
# LOW = TCP or UDP low port number
# HIGH = TCP or UDP high port number
#
# Below I use the following pseudo PORT names:
# AX0 = ax25 rf port
# AX1 = ax25 rf port
# AX3 = AXIP psuedo ax25 port
# BBS = SLIP port to an attached bbs
# MODEM = SLIP port to a telphone modem
# ETH0 = PACKET interface to ethernet card
# ENCAP = ENCAP routing interface
#
#
# IP ACCESS WHAT PROT SOURCE DESTINATION PORT low high
# ## ###### ###### #### ############# ############### ##### ###### ######
ip access permit icmp 44/8 all ax0 1 32768
ip access permit icmp 44/8 all ax1 1 32768
# ip access permit icmp all all ax3 1 32768
# ip access permit icmp all all bbs 1 32768
ip access permit icmp all all eth0 1 32768
ip access permit icmp all all encap 1 32768
# ip access permit icmp all all modem 1 32768
#
ip access permit udp 44/8 all ax0 1 32768
ip access permit udp 44/8 all ax1 1 32768
#
# ip access permit udp all 44.bbb.ccc.ddd ax2 1 32768
# The above line allow a machine 44.bbb.ccc.ddd to receive UDP datagrams
# from any source over a channel that would normally only allow 44/8 sources
#
# ip access permit udp all all ax3 1 32768
# ip access permit udp all all bbs 1 32768
ip access permit udp all all eth0 1 32768
ip access permit udp all all encap 1 32768
# ip access permit udp all all modem 1 32768
#
# TCP will allow TCP client-server packets to be passed
#
ip access permit tcp 44/8 all ax0 1 32768
ip access permit tcp all 44/8 ax0 1000 3599
ip access permit tcp all 44/8 ax0 3602 32768
ip access permit tcp 44/8 all ax1 1 32768
#
# ip access permit tcp all 44.bbb.ccc.ddd ax1 25 25
# The above line allow a machine 44.bbb.ccc.ddd to receive incoming SMTP
# from any source over a channel that would normally only allow 44/8 sources
#
# ip access permit tcp all all ax3 1 32768
# ip access permit tcp all all bbs 1 32768
ip access permit tcp all all eth0 1 32768
ip access permit tcp all all encap 1 32768
# ip access permit tcp all all modem 1 32768
#
# ANY will allow AXIP, IPIP etc!
#
# ip access permit any 44/8 44.bbb.ccc.ddd ax1 1 32768
# The above line allow a machine 44.bbb.ccc.ddd to receive incoming axip
# from 44/8 sources over a channel that would normally not allow axip
#
# ip access permit any all all ax3 1 32768
# ip access permit any all all bbs 1 32768
ip access permit any all all eth0 1 32768
ip access permit any all all encap 1 32768
# ip access permit any all all modem 1 32768
#
# The default rule is to deny all that are not allowed above.
#
#
# ---end of file access.rc---
#
More information about the nos-bbs
mailing list