# HG changeset patch # User Michiel Broek # Date 1677494462 -3600 # Node ID 06b03eeae54032b476fc618ccf0b20baacc3603e # Parent 8aaa305805df3fb6a7976f8a7786d69949293052 Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation. diff -r 8aaa305805df -r 06b03eeae540 sbin/mbse-firewall --- a/sbin/mbse-firewall Sun Feb 26 15:23:19 2023 +0100 +++ b/sbin/mbse-firewall Mon Feb 27 11:41:02 2023 +0100 @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.25" +MBSEFW_VERSION="0.0.26" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -313,7 +313,7 @@ # drop packets that do not match any valid state. This also blocks invalid # flag combinations that are used by portscans. - $IPTABLES -A OUTPUT -m state --state INVALID -j DROP + $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state INVALID -j DROP [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP if [ "$USE_IPV6" == "1" ]; then @@ -460,11 +460,15 @@ fi if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then - # ================ Table 'mangle', automatic rules - [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - if [ "$USE_IPV6" == "1" ]; then - [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - fi + # ================ Tables 'filter' and 'mangle', automatic rules + [ "$FW_FORWARD" = "1" ] && { + $IPTABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + if [ "$USE_IPV6" == "1" ]; then + $IP6TABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + fi + } fi # Filter all packets that have RH0 header @@ -724,6 +728,7 @@ fw_install() { + echo "Installing $(basename $0) $MBSEFW_VERSION" | $LOGGER echo -n "Installing $(basename $0) $MBSEFW_VERSION: " reset_iptables DROP echo -n "." @@ -743,6 +748,7 @@ -f /etc/mbse-firewall/data/firewall-ipset.data ]; then # Do a full restore of all saved data echo -n "Starting $(basename $0) $MBSEFW_VERSION: " + echo "Starting $(basename $0) $MBSEFW_VERSION" | $LOGGER echo "Start new firewall" | $LOGGER fw_init_nfacct reset_iptables DROP @@ -768,6 +774,7 @@ fw_stop() { + echo "Stopping $(basename $0) $MBSEFW_VERSION" | $LOGGER echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " # Slackware defaults to ACCEPT when no firewall is active. reset_iptables ACCEPT @@ -778,6 +785,7 @@ # If there are blocklist tables, reload them. fw_reload() { + echo "Reload $(basename $0) $MBSEFW_VERSION" | $LOGGER echo -n "Reload $(basename $0) $MBSEFW_VERSION: " reload_blocklist4 reload_blocklist6 @@ -787,8 +795,8 @@ fw_save() { + echo "Saving $(basename $0) $MBSEFW_VERSION" | $LOGGER echo -n "Saving $(basename $0) $MBSEFW_VERSION: " - echo "Saving firewall" | $LOGGER mkdir -p /etc/mbse-firewall/data [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data echo -n "."