forked from freifunk-franken/firmware
fff-firewall: remove obsolete rules
20-clamp-mss: Clamping is done in other parts of the network and to a very low static value. This rules is very likely doing nothing at the moment. 20-filter-ssh: These rules make use of the conntrack module to ratelimit incoming connections. Using conntrack comes with a performance penalty for all traffic. As an alternative, dropbear could be run behind an inetd(-like) service that does the ratelimit, should removing this rule result in an actual attack vector. Removing both rules would enable us to unload the conntrack module all together, potentially improving overall performance. Fixes #183 Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
This commit is contained in:
parent
596a785ebc
commit
bd9477a775
|
@ -1,7 +1,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=fff-firewall
|
||||
PKG_RELEASE:=8
|
||||
PKG_RELEASE:=9
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
#solves MTU problem with bad ISPs
|
||||
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
@ -1,5 +0,0 @@
|
|||
# Limit ssh to 6 new connections per 60 seconds
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
|
||||
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
|
||||
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
|
Loading…
Reference in New Issue