firewall.conf: minor fixups

- Apply drop policy to the OUTPUT chain, too (the actual behaviour
  should not have changed, as all now unhandled packets were explicitly
  dropped before).
- The TCPMSS target is only valid in the mangle table, which is not
  enabled by default. So fix the statement and comment it out to leave
  it up to the user to decide whether he really needs it.

1 files changed, 6 insertions, 3 deletions

diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf
index 2c8faaa34..15794dece 100644
--- a/package/iptables/files/firewall.conf
+++ b/package/iptables/files/firewall.conf
@@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule
 ### Default policy
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
 
 ### INPUT
 ###  (connections with the router as destination)
@@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
 ###  (connections with the router as source)
 
 # base case
-iptables -A OUTPUT -m state --state INVALID -j DROP
-iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
+iptables -A OUTPUT -p icmp -j ACCEPT
 
 ### FORWARD
 ###  (connections routed through the router)
 
 # base case
 iptables -A FORWARD -m state --state INVALID -j DROP
-iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+# fix for broken ISPs blocking ICMP "fragmentation needed" packets
+#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
 # custom rules
 iptables -A FORWARD -j forwarding_rule
 iptables -t nat -A PREROUTING -j prerouting_rule