For me, most all of the bad stuff is coming in via the
spoofed ampr gateway address of 169.228.66.251
When you see internet traffic as bad stuff, you will receive a lot of it from that
address, but most of
it will not be spoofed. It is traffic from internet to your AMPRnet address(es) that is
being relayed,
the intended purpose of amprgw.
Maybe there should be a separate filter for incoming traffic via the gateway. We have
that on our
gateway: a local AMPRnet user can indicate if they want to receive incoming connects from
internet and they are
placed in a bitmap ipset similar to the bitmap created from the DNS hosts. By default
they are not
in that map, and only replies to outgoing traffic are allowed. Of course this is only
possible because
we run connection tracking on our gateway, which is probably not done on amprgw.
It keeps out a lot of junk.
A simple version without connection tracking could block incoming TCP SYN and maybe some
UDP traffic to
ports like 53 and 161 and others. That would still mean there has to be some registration
capability
to turn this on/off per address. DNS is already used to control the strict allow/deny per
address, so it
cannot be used for this.
Rob