This is a false security. But setting the public interface to accept only ip proto 4 traffic is a solution. And on rhe tunnel, only to accept requests with source address 44/8. Spoofed traffic will not be corrected routed back, so that is no real issue in this case.
(Please trim inclusions from previous messages) _______________________________________________
Subject: [44net] OpenWRT Security Notice From: lleachii@aol.com Date: 02/02/2016 04:11 AM
To: 44net@hamradio.ucsd.edu
the least computationally difficult method to protect our gateways from rogue packets is to not publicize/announce our Public WAN-facing IP address.
Of course that does not work very well. All other gateway stations know your public IP and those who really want to know it can probably obtain it. The only way to protect your system is by using appropriate filters. And yes, these can be difficult to design, especially in the world of lousy internet service providers that do not bother filtering clients that spoof addresses....
Rob