fff-firewall: remove obsolete rules

20-clamp-mss:

Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.

20-filter-ssh:

These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.

Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.

Fixes #183

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>

src/packages/fff/fff-firewall/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=8
+PKG_RELEASE:=9
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss

@@ -1,2 +0,0 @@
-#solves MTU problem with bad ISPs
-iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh

@@ -1,5 +0,0 @@
-# Limit ssh to 6 new connections per 60 seconds
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
-/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
-/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP