Re: [44net] security reminder : Sharing best practices and tools ?

On Jan 10, 2019, at 7:28 PM, LLEACHII--- via 44Net &lt;44net(a)mailman.ampr.org&gt; wrote: Rob, I never noted I have a problem. The ipset script is the one I currently use. As I recall, the iptables was verbatim from another operator - and it worked as well. I can't recall who gave me that script. The ipset script is the one I edited, per your message in 2018. I have made no updates to the iptables script; and left lots of old notes and comments intact - hence some of the comments may disagree. I edited it to use ipset approximately 2 years ago, hence the remaining while statement. I'm sure anyone utilizing the ipset script would like it be as straightforward as possible - are you suggesting (pseudo-code confuses me): --- #!/bin/sh # load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="<AMPRGW>" cd /var/lib/ampr-ripd || exit 1 ipset -N ipipfilter hash:ip 2>/dev/null ipset flush ipipfilter ipset -A ipipfilter $AMPRGW grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip do ipset -A ipipfilter $ip done ----- I tested it and it seems to work. Also believe diffutils doesn't need to be installed, either. I'll update the OpenWrt Wiki. I only noted it in this particular best practices/tools thread due to messages in SEP2018: https://mailman.ampr.org/mailman/private/44net/2018-September/009294.html I like to "lock down" my router as much as possible. I do understand we've chatted in the past that my methods may be too paranoid; but I'd prefer to have a extra step to secure the IPENCAP interface. 73, - Lynwood KB3VWG _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net