Mercurial > mbse-firewall / changeset

changeset

Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.

Mon, 27 Feb 2023 11:41:02 +0100

author
Michiel Broek <mbroek@mbse.eu>
date
Mon, 27 Feb 2023 11:41:02 +0100
changeset 13
06b03eeae540
parent 12
8aaa305805df
child 14
654773d80b70

Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.

sbin/mbse-firewall file | annotate | diff | comparison | revisions 
--- a/sbin/mbse-firewall	Sun Feb 26 15:23:19 2023 +0100
+++ b/sbin/mbse-firewall	Mon Feb 27 11:41:02 2023 +0100
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.25"
+MBSEFW_VERSION="0.0.26"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -313,7 +313,7 @@
 
   # drop packets that do not match any valid state. This also blocks invalid
   # flag combinations that are used by portscans.
-  $IPTABLES -A OUTPUT   -m state --state INVALID  -j DROP 
+  $IPTABLES -A OUTPUT   -m state --state INVALID  -j DROP
   $IPTABLES -A INPUT    -m state --state INVALID  -j DROP 
   [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD  -m state --state INVALID  -j DROP
   if [ "$USE_IPV6" == "1" ]; then
@@ -460,11 +460,15 @@
   fi
 
   if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then
-    # ================ Table 'mangle', automatic rules
-    [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-    if [ "$USE_IPV6" == "1" ]; then
-      [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-    fi
+    # ================ Tables 'filter' and 'mangle', automatic rules
+    [ "$FW_FORWARD" = "1" ] && {
+      $IPTABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+      $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+      if [ "$USE_IPV6" == "1" ]; then
+	$IP6TABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+        $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+      fi
+    }
   fi
 
   # Filter all packets that have RH0 header
@@ -724,6 +728,7 @@
 
 
 fw_install() {
+  echo "Installing $(basename $0) $MBSEFW_VERSION" | $LOGGER
   echo -n "Installing $(basename $0) $MBSEFW_VERSION: "
   reset_iptables DROP
   echo -n "."
@@ -743,6 +748,7 @@
        -f /etc/mbse-firewall/data/firewall-ipset.data ]; then
     # Do a full restore of all saved data
     echo -n "Starting $(basename $0) $MBSEFW_VERSION: "
+    echo "Starting $(basename $0) $MBSEFW_VERSION" | $LOGGER
     echo "Start new firewall" | $LOGGER
     fw_init_nfacct
     reset_iptables DROP
@@ -768,6 +774,7 @@
 
 
 fw_stop() {
+  echo "Stopping $(basename $0) $MBSEFW_VERSION" | $LOGGER
   echo -n "Stopping $(basename $0) $MBSEFW_VERSION: "
   # Slackware defaults to ACCEPT when no firewall is active.
   reset_iptables ACCEPT
@@ -778,6 +785,7 @@
 
 # If there are blocklist tables, reload them.
 fw_reload() {
+  echo "Reload $(basename $0) $MBSEFW_VERSION" | $LOGGER
   echo -n "Reload $(basename $0) $MBSEFW_VERSION: "
   reload_blocklist4
   reload_blocklist6
@@ -787,8 +795,8 @@
 
 
 fw_save() {
+  echo "Saving $(basename $0) $MBSEFW_VERSION" | $LOGGER
   echo -n "Saving $(basename $0) $MBSEFW_VERSION: "
-  echo "Saving firewall" | $LOGGER
   mkdir -p /etc/mbse-firewall/data
   [ -n "$IPTABLES_SAVE" ]  && $IPTABLES_SAVE  > /etc/mbse-firewall/data/firewall-ipv4.data
   echo -n "."

Mercurial Repository: mbse-firewall

mercurial