Add gluon-firewall package to mitigate open resolver issue

Original patch by Daniel Ehlers <danielehlers@mindeye.net>

Add gluon-firewall package to mitigate open resolver issue
68149f25 · Matthias Schiffer · aba0a3bc · 68149f25 · 68149f25
Commit 68149f25 authored 10 years ago by Matthias Schiffer
--- a/package/gluon-firewall/Makefile
+++ b/package/gluon-firewall/Makefile
+include $(TOPDIR)/rules.mk
+PKG_NAME:=gluon-firewall
+PKG_VERSION:=1
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+include $(INCLUDE_DIR)/package.mk
+define Package/gluon-firewall
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Restrictive firewall rules
+  DEPENDS:=+gluon-core +firewall
+endef
+define Package/gluon-firewall/description
+	Gluon community wifi mesh firmware framework:
+	Firewall rules which try to ensure a node can't be abused
+	(e.g. for DNS amplification attacks)
+endef
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+define Build/Configure
+endef
+define Build/Compile
+endef
+define Package/gluon-firewall/install
+	$(CP) ./files/* $(1)/
+endef
+$(eval $(call BuildPackage,gluon-firewall))
--- a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
+++ b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
+#!/usr/bin/lua
+local site = require 'gluon.site_config'
+local uci = require 'luci.model.uci'
+local c = uci.cursor()
+local function reject_input_on_wan(zone)
+	if zone.name == 'wan' then
+		c:set('firewall', zone['.name'], 'input', 'REJECT')
+	end
+	return true
+end
+c:foreach('firewall', 'zone', reject_input_on_wan)
+c:section('firewall', 'rule', 'wan_ssh',
+	  {
+		  name = 'wan_ssh',
+		  src = 'wan',
+		  dest_port = '22',
+		  proto = 'tcp',
+		  target = 'ACCEPT',
+	  }
+)
+c:save('firewall')
+c:commit('firewall')