Message ID | 20200802175502.451663-3-fabian@blaese.de |
---|---|
State | Accepted |
Headers | show |
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh index aa04ce9..bb18657 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -1,9 +1,3 @@ -# If an router has a direct internet connection simple attack act as DOS attack -if [ -n "$IF_WAN" ]; then - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i $IF_WAN -j REJECT -fi - # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Fabian Bläse > Sent: Sonntag, 2. August 2020 19:55 > To: franken-dev@freifunk.net > Subject: [PATCH] fff-firewall: Remove ssh firewall on WAN interface > > This firewall was introduced as a countermeasure for very slow routers > directly connected to the internet without any firewall. > > Our routers have got quite a bit faster since then. Also, a setup like this is > highly uncommon, especially for slower routers. > > Therefore this firewall rule is removed. > > Fixes: #138 > Signed-off-by: Fabian Bläse <fabian@blaese.de> > --- > .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > index aa04ce9..bb18657 100644 > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-s > +++ sh > @@ -1,9 +1,3 @@ > -# If an router has a direct internet connection simple attack act as DOS attack > -if [ -n "$IF_WAN" ]; then > - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > - iptables -A INPUT -i $IF_WAN -j REJECT > -fi > - > # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A > INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name > dropbear /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name > dropbear -j DROP > -- > 2.28.0
Hi Fabian, hat mich auch schon manchmal genervt. Reviewed-by: Robert Langhammer <rlanghammer@web.de> Am 02.08.20 um 19:55 schrieb Fabian Bläse: > This firewall was introduced as a countermeasure for very slow routers > directly connected to the internet without any firewall. > > Our routers have got quite a bit faster since then. Also, a setup like > this is highly uncommon, especially for slower routers. > > Therefore this firewall rule is removed. > > Fixes: #138 > Signed-off-by: Fabian Bläse <fabian@blaese.de> > --- > .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > index aa04ce9..bb18657 100644 > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > @@ -1,9 +1,3 @@ > -# If an router has a direct internet connection simple attack act as DOS attack > -if [ -n "$IF_WAN" ]; then > - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - iptables -A INPUT -i $IF_WAN -j REJECT > -fi > - > # Limit ssh to 6 new connections per 60 seconds > /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear > /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
Thankyou-from: SebaBe ;) Am 2. August 2020 20:55:49 MESZ schrieb Robert Langhammer <rlanghammer@web.de>: >Hi Fabian, > >hat mich auch schon manchmal genervt. > >Reviewed-by: Robert Langhammer <rlanghammer@web.de> > >Am 02.08.20 um 19:55 schrieb Fabian Bläse: >> This firewall was introduced as a countermeasure for very slow >routers >> directly connected to the internet without any firewall. >> >> Our routers have got quite a bit faster since then. Also, a setup >like >> this is highly uncommon, especially for slower routers. >> >> Therefore this firewall rule is removed. >> >> Fixes: #138 >> Signed-off-by: Fabian Bläse <fabian@blaese.de> >> --- >> .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 >------ >> 1 file changed, 6 deletions(-) >> >> diff --git >a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh >b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh >> index aa04ce9..bb18657 100644 >> --- >a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh >> +++ >b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh >> @@ -1,9 +1,3 @@ >> -# If an router has a direct internet connection simple attack act as >DOS attack >> -if [ -n "$IF_WAN" ]; then >> - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate >RELATED,ESTABLISHED -j ACCEPT >> - iptables -A INPUT -i $IF_WAN -j REJECT >> -fi >> - >> # Limit ssh to 6 new connections per 60 seconds >> /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack >--ctstate NEW -m recent --set --name dropbear >> /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack >--ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl >--name dropbear -j DROP
Merged. > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Fabian Bläse > Sent: Sonntag, 2. August 2020 19:55 > To: franken-dev@freifunk.net > Subject: [PATCH] fff-firewall: Remove ssh firewall on WAN interface > > This firewall was introduced as a countermeasure for very slow routers > directly connected to the internet without any firewall. > > Our routers have got quite a bit faster since then. Also, a setup like this is > highly uncommon, especially for slower routers. > > Therefore this firewall rule is removed. > > Fixes: #138 > Signed-off-by: Fabian Bläse <fabian@blaese.de> > --- > .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------ > 1 file changed, 6 deletions(-) > > diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > index aa04ce9..bb18657 100644 > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-s > +++ sh > @@ -1,9 +1,3 @@ > -# If an router has a direct internet connection simple attack act as DOS attack > -if [ -n "$IF_WAN" ]; then > - iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > - iptables -A INPUT -i $IF_WAN -j REJECT > -fi > - > # Limit ssh to 6 new connections per 60 seconds /usr/sbin/ip6tables -A > INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name > dropbear /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name > dropbear -j DROP > -- > 2.28.0
This firewall was introduced as a countermeasure for very slow routers directly connected to the internet without any firewall. Our routers have got quite a bit faster since then. Also, a setup like this is highly uncommon, especially for slower routers. Therefore this firewall rule is removed. Fixes: #138 Signed-off-by: Fabian Bläse <fabian@blaese.de> --- .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------ 1 file changed, 6 deletions(-)