20 Apr
2017
20 Apr
'17
9:05 p.m.
Wouldn't it be easier to make a rule to drop all output from tunl0
without your subnet addresses as src...and not accept tcp...udp or
packets for your endpoints?
I understand the concept of blocs you don't expect traffic from; but the
list I posted includes ALL IPv4 addresses KNOWN everywhere on the global
Internet not be valid ANYWHERE as a source, unless you expect it, for
ANY REASON, WHATSOEVER.
I know everyone is now understanding the security implications. Just as
I emailed Jerome in a separate email, it was also as simple form him to
remove AMPRGW as a source of IPENCAP traffic (but then he can't use the
Internet on his AMPRLAN then). Just my $0.02...
- Lynwood
KB3VWG
On 04/20/2017:
I'm blocking entire blocks from countries like China, Afghanistan, US,
Brazil, Romania, Russia, Italy (why not?).