20-clamp-mss:
Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.
20-filter-ssh:
These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.
Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.
Fixes#183
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
With this patch all installed tables are flushed.
We no longer have to worry about the modules
installed or not. (nat, mangle ...)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
With commit [1] the ipv4 firewall on wan interface was removed.
This patch adds the ssh connection limit for ipv4.
IPv6 is already limited.
[1] 52e15e072c ("fff-firewall: Remove ssh firewall on WAN interface")
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
[improve commit reference]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
PKG_BUILD_DIR has the following default values set in include/package.mk,
in case no BUILD_VARIANT is set:
With PKG_VERSION set: $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
Without PKG_VERSION: $(BUILD_DIR)/$(PKG_NAME)
Consequently, all PKG_BUILD_DIR definitions in our packages are
redundant. Remove them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The variables SERVICE_WRITE_PID and SERVICE_DAEMONIZE are not used by
procd, so they are removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Build/Prepare and Build/Configure are not required for packages
which only contain local files and do not need any compilation.
Remove them.
Note that Build/Compile needs to be present and empty to overwrite
the defaults, though.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This firewall was introduced as a countermeasure for very slow routers
directly connected to the internet without any firewall.
Our routers have got quite a bit faster since then. Also, a setup like
this is highly uncommon, especially for slower routers.
Therefore this firewall rule is removed.
Fixes: #138
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In some cases (mostly for one-port devices) IF_WAN was used
although not set, resulting in not obviously iptables error
messages like
- Bad argument `conntrack'
- Bad argument `REJECT'
Thus, check whether IF_WAN is set to something before using it.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
PKG_VERSION is meant to refer to the version of external packages,
as we do e.g. in the tunneldigger package.
For our own packages, we just need the PKG_RELEASE variable.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
[Rebased onto current state of master]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Currently, Makefile use a mixture of tabs and spaces with various
indents. This harmonizes all Makefiles to use tab indentation only.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Tim Niemeyer <tim@tn-x.org>
The syntax " -m state --state " seems to be not supported anymore.
The replace should not change behavior compared to
lede-17.01-based firmware.
Added required dependency.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Tim Niemeyer <tim@tn-x.org>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Since there is a PKG_NAME variable, there is no need to repeat
the individual package name five times.
This makes editing and particularly copying Makefiles much
easier, as only the PKG_NAME has to be changed.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Tim Niemeyer <tim@tn-x.org>
- moves the node<-->client ra rules to package fff-uradvd
Signed-off-by: Tim Niemeyer <tim@tn-x.org>
Reviewed-by: Tobias Klaus <tk+ff@meskal.net>
Reviewed-by: Jan Kraus <mayosemmel@gmail.com>
Johannes Kimmel
Robert Langhammer
Fabian Bläse
Adrian Schmutzler
Christian Dresel
Tim Niemeyer