This is a false security.
But setting the public interface to accept only ip proto 4 traffic is a
solution.
And on rhe tunnel, only to accept requests with source address 44/8.
Spoofed traffic will not be corrected routed back, so that is no real
issue in this case.
> (Please trim inclusions from previous messages)
> _______________________________________________
>> Subject:
>> [44net] OpenWRT Security Notice
>> From:
>> lleachii(a)aol.com
>> Date:
>> 02/02/2016 04:11 AM
>>
>> To:
>> 44net(a)hamradio.ucsd.edu
>>
>>
>>
>> the least computationally difficult method to protect our gateways from
>> rogue packets is to not publicize/announce our Public WAN-facing IP
>> address.
>
> Of course that does not work very well.
> All other gateway stations know your public IP and those who really want
> to know it can probably obtain it.
> The only way to protect your system is by using appropriate filters. And
> yes, these can be difficult to design,
> especially in the world of lousy internet service providers that do not
> bother filtering clients that spoof addresses....
>
> Rob
>