#--------------------------------------------------------------------------#
# AmprNet Brasil - http://www.amprnet.org.br - Net-44 44.174/16   Fev/1998 #
# Joao Fabio de Oliveira - PU5PJF - jfabio@arpa.arauc.br                   #
# -------------------------------------------------------------------------#
#                                                   Parametros de seguranca
#
# Atencao: Descomentar as linhas de acordo com a politica de seguranca 
#          aplicada em seu gateway
#
#
# Start of ACCESS.NOS file
# ************************
#
# ip access <permit|deny|delete> <proto> <src addr>[/<bits>] <dest addr>[/<bits>] <if name> [low [high]]
#
# tcp access <permit|deny|delete> <dest addr>[/<bits>] [lowport [highport]]
#
# NB: The IP ACCESS and TCP ACCESS frame work is based on IP ACCESS and TCP 
#     ACCESS control files shown below written by VE3RKS at VE3UOW and by 
#     VE3PNX at VE3RPI.
#
# - This file sould be sourced into your autoexec.nos file after all ports
#   have been attached and defined.
# - This file also contains a handy summary of what TCP/UDP ports are 
#   commonly used.
# - This file contains information on the use of TCP ACCESS and IP ACCESS
# - All lines begin with # symbols.  This is to allow this file to be sourced
#   into your autoexec.nos after being edited for you specific setup.  Lines
#   that do not begin with # symbols are valid NOS IP and TCP ACCESS commands.
#
# Ports of interest for both UDP and TCP
# ************************************** 
# 1 - 3599      -  SERVER PORTS limit access based on local rules UDP and TCP
# ***************************************************************************
# 7             -  ECHO
# 9             -  DISCARD
# 20            -  FTP-DATA
# 21            -  FTP-CONTROL
# 23            -  TELNET
# 25            -  SMTP
# 57            -  SECONDARY TELNET
# 67            -  BOOTP
# 79            -  FINGER
# 87            -  TTYLINK [Operator chat]
# 97            -  AXIP/IPIP/IPTUNNEL
# 109           -  POP2
# 110           -  POP3
# 119           -  NNTP
# 513           -  RLOGIN/RWHO
# 525           -  TIME DAEMON
# 1234          -  REMOTE
# 1235          -  CALLSIGN DB
# 3600          -  CONVERS       [Only AMPR.ORG domain should have access]
# 3601          -  LZW CONVERS   [Only AMPR.ORG domain should have access]
# ***************************************************************************
# 1050 - 32768  -  REPLY PORTS should be accessable to all  <= very important
# ***************************************************************************

#  TCP ACCESS
#  **********
#  TCP ACCESS is used to limit access to certain servers accessable by
#  TCP/TELNET to specific ports.  For example you may want to allow
#  access to the SMTP server in your machine from all machines AMATEUR 
#  and NON-AMATEUR.  
#
#  TCP access stops a connection to a server from being built at only 
#  the machine at which it is installed.  If you want to stop a gateway 
#  from routing TCP/IP packets from specific addresses to specific 
#  addresses you need to use the IP ACCESS code!

# TCP ACCESS WHAT       FROM                                   LOW   HIGH
# ### ###### ######     ###############                        ##### #####

# IP ACCESS
# *********
# IP ACCESS is an important bit of code for a INTERNET/AMPRnet Gateway
# as it can be used to selectively allow or disallow the routing of
# TCP/IP packets based on source ip address, destination ip address,
# packet type [udp/tcp/..], UDP or TCP port number and interface port.
#
# For most gateways you would like to only pass AMPR.ORG originated 
# ip address to other AMPR.ORG ip address (like UK and AUSTRALIAN LAW).  
# Exceptions might be where local law allows Amateurs to originate to 
# anywhere (including non-amateur destinations) as the replys are 
# technically under the control of the originator (like USA and CANADIAN 
# law).
#
# The idea behind IP ACCESS is to set up rules that will allow or deny
# routing of packets.  Unlike the TCP ACCESS command, IP ACCESS does not 
# restrict access to servers at the machine that is running this code.  It 
# does however restrict the gatewaying of IP packets accross interface
# ports.
#
# Valid PROTOCOLS are ICMP, UDP, TCP, and ANY (every thing else).  Both
# ICMP and ANY do not allow specific port restrictions as port numbers
# are not really used for the other TCP/IP protocols.
#
# WHAT = <permit | deny | delete>
# PROT = <tcp | icmp | udp | any>
# PORT = ATTACHED INTERFACE/PORT
# LOW  = TCP or UDP low port number
# HIGH = TCP or UDP high port number
#
# Below I use the following pseudo PORT names:
#   AX1   = ax25 rf port 
#   AX2   = ax25 rf port
#   AX3   = AXIP pseudo ax25 port
#   BBS   = SLIP port to an attached bbs
#   MODEM = SLIP port to a telphone modem
#   ETHER = PACKET interface to ethernet card
#   ENCAP = ENCAP routing interface
#    
# IP  ACCESS WHAT   PROT SOURCE         DESTINATION     PORT  low    high 
# ##  ###### ###### #### #############  ############### ##### ###### ######
#  ip  access permit icmp 44/8           all             vhf   1      32768
#  ip  access permit icmp 44/8           all             uhf1  1      32768
#  ip  access permit icmp 44/8           all             uhf2  1      32768
#  ip  access permit icmp all            all             eth   1      32768
#  ip  access permit icmp all            all             encap 1      32768
  
#  ip  access permit udp  44/8           all             vhf   1      32768
#  ip  access permit udp  all            44.174.013.001  vhf   1      32768
  
#  ip  access permit udp  44/8           all             uhf1  1      32768
#  ip  access permit udp  all            44.174.013.001  uhf1  1      32768
  
#  ip  access permit udp  44/8           all             uhf2  1      32768
#  ip  access permit udp  all            44.174.013.001  uhf2  1      32768

# The above line allow a machine 44.bbb.ccc.ddd to receive UDP datagrams
# from any source over a channel that would normally only allow 44/8 sources  
#  ip  access permit udp  all            all             eth   1      32768
#  ip  access permit udp  all            all             encap 1      32768

# TCP will allow TCP client-server packets to be passed
#  ip  access permit tcp  44/8           all             vhf   1      32768
#  ip  access permit tcp  all            44/8            vhf   1000   3599
#  ip  access permit tcp  all            44/8            vhf   3602   32768
#  ip  access permit tcp  all            44.174.013.001  vhf   25     25

#  ip  access permit tcp  44/8           all             uhf1  1      32768
#  ip  access permit tcp  all            44/8            uhf1  1000   3599
#  ip  access permit tcp  all            44/8            uhf1  3602   32768
#  ip  access permit tcp  all            44.174.013.001  uhf1  25     25

#  ip  access permit tcp  44/8           all             uhf2  1      32768
#  ip  access permit tcp  all            44/8            uhf2  1000   3599
#  ip  access permit tcp  all            44/8            uhf2  3602   32768
#  ip  access permit tcp  all            44.174.013.001  uhf2  25     25

# The above line allow a machine 44.bbb.ccc.ddd to receive incoming SMTP
# from any source over a channel that would normally only allow 44/8 sources
#  ip  access permit tcp  all            all             eth   1      32768
#  ip  access permit tcp  all            all             encap 1      32768

# ANY will allow AXIP, IPIP etc!
# ip  access permit any  44/8           44.bbb.ccc.ddd  vhf   1      32768
# ip  access permit any  44/8           44.bbb.ccc.ddd  uhf1  1      32768
# ip  access permit any  44/8           44.bbb.ccc.ddd  uhf2  1      32768

# The above line allow a machine 44.bbb.ccc.ddd to receive incoming axip 
# from 44/8 sources over a channel that would normally not allow axip
#  ip  access permit any  all            all             eth   1      32768
#  ip  access permit any  all            all             encap 1      32768

# The default rule is to deny all that are not allowed above.  
#  ip  access deny   any  all            all             vhf
#  ip  access deny   any  all            all             uhf1
#  ip  access deny   any  all            all             uhf2
#  ip  access deny   any  all            all             eth
#  ip  access deny   any  all            all             encap
#
# --------------------------------------------------------------------------