15 May
2013
15 May
'13
2:20 p.m.
KB9MWR,
Well, I have not personally firewalled the WAN interface in the manner
described (since I use it as an optional second Gateway and I am in
control of two firewalls before the GW), though it is possible. The
easiest method would to be to drop all incoming packets by default, only
allowing ICMP type 8 (Echo Request) and IPIP.
As I'm aware, aside from Ping (Echo Request), only a spoofed ACK packet
can reveal a firewalled online host. Since rip44 and proper routing
configuration allows received IPIP packets to be returned only to valid
subnets, only permitting Ping and IPIP should be rather secure.
It will not prevent (for example) an IPIP packet spoofed by a non-AMPR
user sent to your GW that possesses a valid 44 src IP and a dst IP
that's valid on your subnet. The reply would return to the AMPR IP in
the SRC address (unless they have a firewall). This is prevented since
only AMPR users know both the GW IP addresses and their associated
subnets. Just to note, this behaviour may be valid in a multihomed network.
-Lynwood