25 Apr
2017
25 Apr
'17
1:11 p.m.
These are the rules that route AMPRNet traffic to and from the
ipip daemon (FreeBSD ipfw syntax):
#
# AMPR routing
#
# table(1) contains all registered/routable 44net addrs.
# table(2) contains all registered gateways.
# outbound encapsulated packets
# should go only to registered gateways
00100 allow ipencap from me to 'table(2)'
# inbound encapsulated packets
# should only come from registered gateways
00200 allow ipencap from 'table(2)' to me
# filter the 44net input side of things
# valid destination addresses go to the router socket: ipipd
00300 divert 4444 ip from any to 'table(1)' in not dst-port
111,135-139,445,1025-1028,1900,2323,5353,7547
# filter the 44net output side of things
00400 allow ip from 'table(1)' to any
Explanation:
Preliminary filtering of incoming packets is done by the BSD
ipfw firewall because it's easy to set up and very fast. Quite
a bit more filtering is done by the ipip router daemon.
Ipfw table 1 contains a list of the 44-net host addresses from
the AMPR.ORG DNS zone file that are routable according to the
encap file. Table 2 contains a list of the gateways from the
encap file.
Once an hour, the AMPR.ORG DNS zone file is fetched, normally at
10 minutes past the hour. Also hourly, the encap file is fetched
from the portal, normally at 20 minutes past the hour. Whenever
these files differ from their previous version, the ipfw tables are
flushed and reloaded. When the encap file changes, the ipipd
routing and the rip sender tables are also reloaded.
Rule 100 allows the encapped packets out to registered gateways.
Rule 200 allows encapped packets in only from registered gateway
source addresses.
Rule 300 diverts incoming IP to the ipipd encapsulating router
if the destination address is for a registered/routed address
and not for certain destination ports.
Rule 400 allows outgoing IP with source addresses from registered/routed
hosts.
That's about all the filtering that can be done without looking inside
the encapped packets, which the BSD firewall can't do. The ipipd daemon
handles that, and is much stricter.
- Brian