From feeead6c43e05577e0d3515d2d126e84d5805af3 Mon Sep 17 00:00:00 2001 From: Johannes Kimmel Date: Tue, 21 Dec 2021 07:44:42 +0100 Subject: [PATCH] fff-firewall: remove obsolete rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 20-clamp-mss: Clamping is done in other parts of the network and to a very low static value. This rules is very likely doing nothing at the moment. 20-filter-ssh: These rules make use of the conntrack module to ratelimit incoming connections. Using conntrack comes with a performance penalty for all traffic. As an alternative, dropbear could be run behind an inetd(-like) service that does the ratelimit, should removing this rule result in an actual attack vector. Removing both rules would enable us to unload the conntrack module all together, potentially improving overall performance. Fixes #183 Signed-off-by: Johannes Kimmel Acked-by: Fabian Bläse Reviewed-by: Robert Langhammer --- src/packages/fff/fff-firewall/Makefile | 2 +- .../fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss | 2 -- .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 5 ----- 3 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss delete mode 100644 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 157b7e1b..18dd2bd1 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=8 +PKG_RELEASE:=9 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss deleted file mode 100644 index f2ee4396..00000000 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss +++ /dev/null @@ -1,2 +0,0 @@ -#solves MTU problem with bad ISPs -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh deleted file mode 100644 index 74458a35..00000000 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh +++ /dev/null @@ -1,5 +0,0 @@ -# Limit ssh to 6 new connections per 60 seconds -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP -/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear -/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP