fff-firewall: remove obsolete rules #186

jkimmel · 2021-12-21T08:18:38+01:00

jkimmel commented

2021-12-21 08:18:38 +01:00

20-clamp-mss:

Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.

20-filter-ssh:

These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.

Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.

Fixes #183

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>

20-clamp-mss: Clamping is done in other parts of the network and to a very low static value. This rules is very likely doing nothing at the moment. 20-filter-ssh: These rules make use of the conntrack module to ratelimit incoming connections. Using conntrack comes with a performance penalty for all traffic. As an alternative, dropbear could be run behind an inetd(-like) service that does the ratelimit, should removing this rule result in an actual attack vector. Removing both rules would enable us to unload the conntrack module all together, potentially improving overall performance. Fixes #183 `Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>`

jkimmel added 1 commit 2021-12-21 08:18:39 +01:00

bd9477a775 fff-firewall: remove obsolete rules

20-clamp-mss:

Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.

20-filter-ssh:

These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.

Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.

Fixes #183

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>

fbl commented

2021-12-21 09:46:10 +01:00

Acked-by: Fabian Bläse <fabian@blaese.de>

`Acked-by: Fabian Bläse <fabian@blaese.de>`

fbl added this to the 20220405-beta milestone 2021-12-21 14:47:19 +01:00

rohammer approved these changes 2021-12-28 21:46:00 +01:00

rohammer left a comment

Reviewed-by: Robert Langhammer <rlanghammer@web.de>

``` Reviewed-by: Robert Langhammer <rlanghammer@web.de> ```

fbl commented

2021-12-30 16:03:27 +01:00

Applied to my staging tree.

fbl closed this pull request

2021-12-30 16:03:27 +01:00

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

No reviewers

No Label

more details required

No Milestone

No Assignees

3 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: freifunk-franken/firmware#186