44net-request(a)hamradio.ucsd.edu wrote: Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and first tests shows it works fine. For the others: I requested this feature to modify a firewall when gateways change address. Before I accepted IPIP packets from everyone, but this is a weakness in the system that maybe could be exploited. I observed rogue IPIP packets from the far east. So instead of: iptables -A firewall -p 4 -j ACCEPT on the incoming interface, I now have: iptables -A firewall -p 4 -j ipipfilter and I have the following script that inserts/updates the ipipfilter list: #!/bin/sh # load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob