[PATCH] fff-firewall: Remove ssh firewall on WAN interface

[Robert Langhammer]

Hi Fabian,

hat mich auch schon manchmal genervt.

Reviewed-by: Robert Langhammer <rlanghammer at web.de>

Am 02.08.20 um 19:55 schrieb Fabian Bläse:
> This firewall was introduced as a countermeasure for very slow routers
> directly connected to the internet without any firewall.
>
> Our routers have got quite a bit faster since then. Also, a setup like
> this is highly uncommon, especially for slower routers.
>
> Therefore this firewall rule is removed.
>
> Fixes: #138
> Signed-off-by: Fabian Bläse <fabian at blaese.de>
> ---
>  .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------
>  1 file changed, 6 deletions(-)
>
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> index aa04ce9..bb18657 100644
> --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> @@ -1,9 +1,3 @@
> -# If an router has a direct internet connection simple attack act as DOS attack
> -if [ -n "$IF_WAN" ]; then
> -	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -	iptables -A INPUT -i $IF_WAN -j REJECT
> -fi
> -
>  # Limit ssh to 6 new connections per 60 seconds
>  /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
>  /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP