From a178e473d35a2943f8cbb722db1922dd7f9bcb33 Mon Sep 17 00:00:00 2001 From: bbruns Date: Fri, 22 Oct 2010 02:06:39 +0000 Subject: [PATCH] MSS Clamp move --- ChangeLog | 4 ++++ Makefile | 2 +- bin/firewall-sosdg | 42 +++++++++++++++++++++--------------------- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 75f6ba1..c626620 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +0.9.10 - Brielle Bruns + - Move clamp mss up earlier in the rules to possibly + fix an issue I noticed during testing + 0.9.9a - Brielle Bruns - Minor bug fixes for my coding errors introduced in the change of IPv6 variables diff --git a/Makefile b/Makefile index c48930c..8a5d85d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION=0.9.9a +VERSION=0.9.10 TAR=/usr/bin/tar TARBALL="firewall-sosdg-$(VERSION).tar.bz2" diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index bde14de..3c691e0 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FW_VERSION="0.9.9" +FW_VERSION="0.9.10" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, @@ -139,6 +139,26 @@ if [ "$TRUSTEDIP" ]; then echo -ne "\n" fi +if [ "$CLAMPMSS" ]; then + display_c YELLOW "Clamping MSS to PMTU..." + for i in $CLAMPMSS; do + $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ + --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 + $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ + --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 + # This is necessary to make sure that PMTU works + $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ + -o $i -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ + -i $i -j ACCEPT + $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ + -o $i -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ + -i $i -j ACCEPT + done +echo -en "\n" +fi + if [ "$DNS_REQUESTS_OUT" ]; then display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." for i in $DNS_REQUESTS_OUT; do @@ -262,26 +282,6 @@ if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then . "$BASEDIR/include/ipv4_custom_mssclamp" fi -if [ "$CLAMPMSS" ]; then - display_c YELLOW "Clamping MSS to PMTU..." - for i in $CLAMPMSS; do - $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ - --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 - $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ - --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 - # This is necessary to make sure that PMTU works - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ - -o $i -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ - -i $i -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ - -o $i -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ - -i $i -j ACCEPT - done -echo -en "\n" -fi - if [ "$HACK_IPV4" ]; then apply_ipv4_hack $HACK_IPV4