Hi,
I have been looking at some firewall hardening examples which suggest
setting the TCP maximum segment sizes but they do it only for IPv4.
Looking at RFC 9293, §3.7.1, I see those MSS values are different for
IPv6, so I am approaching this like this:
chain ingress {
type filter hook ingress device "eth0" priority -500; policy accept;
# ...
# IPv4
meta protocol ip tcp flags syn tcp option maxseg size < 536 drop
# IPv6
meta protocol ip6 tcp flags syn tcp option maxseg size < 1220 drop
}
My questions:
1. Is this the correct way to do this?
2. Is it good to do this (setting TCP MSS) at all?
3. Which is better and why:
meta protocol ip tcp flags syn tcp option maxseg size < 536 drop
or
meta protocol ip tcp flags syn tcp option maxseg size 1-535 drop
4. How do I test if this works correctly? (Debian 12 here)
