These are the rules that route AMPRNet traffic to and from the ipip daemon (FreeBSD ipfw syntax):
# # AMPR routing # # table(1) contains all registered/routable 44net addrs. # table(2) contains all registered gateways.
# outbound encapsulated packets # should go only to registered gateways 00100 allow ipencap from me to 'table(2)'
# inbound encapsulated packets # should only come from registered gateways 00200 allow ipencap from 'table(2)' to me
# filter the 44net input side of things # valid destination addresses go to the router socket: ipipd 00300 divert 4444 ip from any to 'table(1)' in not dst-port 111,135-139,445,1025-1028,1900,2323,5353,7547
# filter the 44net output side of things 00400 allow ip from 'table(1)' to any
Explanation:
Preliminary filtering of incoming packets is done by the BSD ipfw firewall because it's easy to set up and very fast. Quite a bit more filtering is done by the ipip router daemon.
Ipfw table 1 contains a list of the 44-net host addresses from the AMPR.ORG DNS zone file that are routable according to the encap file. Table 2 contains a list of the gateways from the encap file.
Once an hour, the AMPR.ORG DNS zone file is fetched, normally at 10 minutes past the hour. Also hourly, the encap file is fetched from the portal, normally at 20 minutes past the hour. Whenever these files differ from their previous version, the ipfw tables are flushed and reloaded. When the encap file changes, the ipipd routing and the rip sender tables are also reloaded.
Rule 100 allows the encapped packets out to registered gateways.
Rule 200 allows encapped packets in only from registered gateway source addresses.
Rule 300 diverts incoming IP to the ipipd encapsulating router if the destination address is for a registered/routed address and not for certain destination ports.
Rule 400 allows outgoing IP with source addresses from registered/routed hosts.
That's about all the filtering that can be done without looking inside the encapped packets, which the BSD firewall can't do. The ipipd daemon handles that, and is much stricter. - Brian