brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MSS Clamp move

master
bbruns 2010-10-22 02:06:39 +00:00
parent f21d3adbbf
commit a178e473d3
3 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
0.9.10 - Brielle Bruns <bruns@2mbit.com>
- Move clamp mss up earlier in the rules to possibly
fix an issue I noticed during testing
0.9.9a - Brielle Bruns <bruns@2mbit.com> 0.9.9a - Brielle Bruns <bruns@2mbit.com>
- Minor bug fixes for my coding errors introduced in - Minor bug fixes for my coding errors introduced in
the change of IPv6 variables the change of IPv6 variables

2
Makefile
View File

@ -1,4 +1,4 @@
VERSION=0.9.9a VERSION=0.9.10
TAR=/usr/bin/tar TAR=/usr/bin/tar
TARBALL="firewall-sosdg-$(VERSION).tar.bz2" TARBALL="firewall-sosdg-$(VERSION).tar.bz2"

42
bin/firewall-sosdg
View File

@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.9" FW_VERSION="0.9.10"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default, # that would otherwise require remaking their options file. I leave this on by default,
@ -139,6 +139,26 @@ if [ "$TRUSTEDIP" ]; then
echo -ne "\n" echo -ne "\n"
fi fi
if [ "$CLAMPMSS" ]; then
display_c YELLOW "Clamping MSS to PMTU..."
for i in $CLAMPMSS; do
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
# This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-i $i -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-i $i -j ACCEPT
done
echo -en "\n"
fi
if [ "$DNS_REQUESTS_OUT" ]; then if [ "$DNS_REQUESTS_OUT" ]; then
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
for i in $DNS_REQUESTS_OUT; do for i in $DNS_REQUESTS_OUT; do
@ -262,26 +282,6 @@ if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
. "$BASEDIR/include/ipv4_custom_mssclamp" . "$BASEDIR/include/ipv4_custom_mssclamp"
fi fi
if [ "$CLAMPMSS" ]; then
display_c YELLOW "Clamping MSS to PMTU..."
for i in $CLAMPMSS; do
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
# This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-i $i -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-i $i -j ACCEPT
done
echo -en "\n"
fi
if [ "$HACK_IPV4" ]; then if [ "$HACK_IPV4" ]; then
apply_ipv4_hack $HACK_IPV4 apply_ipv4_hack $HACK_IPV4