[PATCH] fff-firewall: Remove ssh firewall on WAN interface

Mo Aug 3 10:52:46 CEST 2020

Thankyou-from: SebaBe ;) 

Am 2. August 2020 20:55:49 MESZ schrieb Robert Langhammer <rlanghammer at web.de>:
>Hi Fabian,
>
>hat mich auch schon manchmal genervt.
>
>Reviewed-by: Robert Langhammer <rlanghammer at web.de>
>
>Am 02.08.20 um 19:55 schrieb Fabian Bläse:
>> This firewall was introduced as a countermeasure for very slow
>routers
>> directly connected to the internet without any firewall.
>>
>> Our routers have got quite a bit faster since then. Also, a setup
>like
>> this is highly uncommon, especially for slower routers.
>>
>> Therefore this firewall rule is removed.
>>
>> Fixes: #138
>> Signed-off-by: Fabian Bläse <fabian at blaese.de>
>> ---
>>  .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6
>------
>>  1 file changed, 6 deletions(-)
>>
>> diff --git
>a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
>b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
>> index aa04ce9..bb18657 100644
>> ---
>a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
>> +++
>b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
>> @@ -1,9 +1,3 @@
>> -# If an router has a direct internet connection simple attack act as
>DOS attack
>> -if [ -n "$IF_WAN" ]; then
>> -	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate
>RELATED,ESTABLISHED -j ACCEPT
>> -	iptables -A INPUT -i $IF_WAN -j REJECT
>> -fi
>> -
>>  # Limit ssh to 6 new connections per 60 seconds
>>  /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack
>--ctstate NEW -m recent --set --name dropbear
>>  /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack
>--ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl
>--name dropbear -j DROP
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20200803/46cfd2fa/attachment.html>