packet-radio-hardening
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| packet-radio-hardening [2025/11/29 05:58] – removed - external edit (Unknown date) 127.0.0.1 | packet-radio-hardening [2025/11/29 11:07] (current) – [Reboot Safety] n6cta | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Packet Radio Hardening ====== | ||
| + | Running a packet radio node is // | ||
| + | ===== Security ===== | ||
| + | |||
| + | |||
| + | ==== Threat Model ==== | ||
| + | The purpose of this article is to highlight precautions to take when connecting your node to the Internet as well as stack reboot safety. We are not considering exploits through over-the-air routes, as these are largely hypothetical or difficult to carry out. | ||
| + | |||
| + | ==== Precaution #1: Know who you link to ==== | ||
| + | It's not a bad idea to establish correspondence and do the basic amount of due diligence to make sure you're not building infrastructure with people you don't want to be associated with. | ||
| + | |||
| + | ==== Precaution #2: Protocols ==== | ||
| + | When configuring forwarding and routes over the Internet to other BPQ nodes, use AXUDP and not AXIP. AXUDP works better with modern firewalls, while AXIP generally presents trouble. | ||
| + | |||
| + | ==== Precaution #3: Firewalls ==== | ||
| + | You should run both router firewalls as well as OS level firewalls and start with the sane defaults of allowing all egress and denying all ingress outside of the local network subnet. | ||
| + | |||
| + | ===== Reboot Safety ===== | ||
| + | Using linux makes this easy with udev rules, ALSA configs, and systemd services to manage stack startup sequences. | ||
| + | |||
| + | |||
| + | FARPN is currently developing automation scripts for managing firewalls and yggdrasil public key authentication as well as systemd service templates for our basic software stack. | ||