[PATCH] fff-firewall: Remove ssh firewall on WAN interface
mail at adrianschmutzler.de
mail at adrianschmutzler.de
So Aug 2 20:40:38 CEST 2020
Reviewed-by: Adrian Schmutzler <freifunk at adrianschmutzler.de>
> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of Fabian Bläse
> Sent: Sonntag, 2. August 2020 19:55
> To: franken-dev at freifunk.net
> Subject: [PATCH] fff-firewall: Remove ssh firewall on WAN interface
>
> This firewall was introduced as a countermeasure for very slow routers
> directly connected to the internet without any firewall.
>
> Our routers have got quite a bit faster since then. Also, a setup like this is
> highly uncommon, especially for slower routers.
>
> Therefore this firewall rule is removed.
>
> Fixes: #138
> Signed-off-by: Fabian Bläse <fabian at blaese.de>
> ---
> .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------
> 1 file changed, 6 deletions(-)
>
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> index aa04ce9..bb18657 100644
> --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-s
> +++ sh
> @@ -1,9 +1,3 @@
> -# If an router has a direct internet connection simple attack act as DOS attack
> -if [ -n "$IF_WAN" ]; then
> - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> - iptables -A INPUT -i $IF_WAN -j REJECT
> -fi
> -
> # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A
> INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name
> dropbear /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --
> ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name
> dropbear -j DROP
> --
> 2.28.0
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : openpgp-digital-signature.asc
Dateityp : application/pgp-signature
Dateigröße : 834 bytes
Beschreibung: nicht verfügbar
URL : <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20200802/62597f64/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev