I think that script is OK, except of course this line:
AMPRGW="<AMPRGW>"
Should be edited to the actual address of AMPRGW instead of that <AMPRGW>.
I think it is better to just put the literal address in the example code as this kind of substitutions confuses people. When it changes, the Wiki can be updated. It is of course also possible to look it up using DNS but that will require another dependant package e.g. "dig" and again may confuse people.
I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki.
Correct, the diffutils was only required for the iptables version which uses the diff command to generate changes once the table is initially loaded instead of replacing it from zero every time as the ipset version does.
I only noted it in this particular best practices/tools thread due to messages in SEP2018:
Yes that was a case where I actually received some "malicious" IPIP traffic, but ir happens quite seldomly. Of course it never hurts to lock down as well as possible, but I wanted to indicate that installing this filter is not the full response to the security reminder that Brian posted. I hope people do not think "Oh, Brian posted a security advisory and now there is this script that I do not yet have so let's install it so my system is secured", as this is only a very small and probably insignificant part of that whole security solution.
When someone wants quick-and-dirty solutions to the security problem, it is much better to install some firewall rules according to this pattern:
- accept ESTABLISHED/RELATED - accept new outgoing traffic - accept new incoming traffic matching some specific addresses/ports/protocols - drop everything else
It is usually easiest to have two of those rulesets, one that applies to traffic incoming on the internet interface (where you want to accept protocol 4 using your ipset and not much else) and one that applies to traffic incoming on the tunnel interface (where you are basically handling AMPRnet traffic and may allow a bit more, but often you allow more from 44.0.0.0/8 than from other addresses).
How complicated that ends up to be is of course dependent on what services your system(s) should expose, but at least it drops everything that you usually do not want to serve to the outside, like SNMP and DNS.
Rob