diff --git a/package/gluon-firewall/Makefile b/package/gluon-firewall/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..ceb4820ce99d98c9be6922388963dd0196efb239
--- /dev/null
+++ b/package/gluon-firewall/Makefile
@@ -0,0 +1,37 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-firewall
+PKG_VERSION:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-firewall
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Restrictive firewall rules
+  DEPENDS:=+gluon-core +firewall
+endef
+
+define Package/gluon-firewall/description
+	Gluon community wifi mesh firmware framework:
+	Firewall rules which try to ensure a node can't be abused
+	(e.g. for DNS amplification attacks)
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-firewall/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-firewall))
diff --git a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
new file mode 100755
index 0000000000000000000000000000000000000000..b63f51938e21d474397431a54b00addc18392b9c
--- /dev/null
+++ b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
@@ -0,0 +1,29 @@
+#!/usr/bin/lua
+
+local site = require 'gluon.site_config'
+local uci = require 'luci.model.uci'
+
+local c = uci.cursor()
+
+
+local function reject_input_on_wan(zone)
+	if zone.name == 'wan' then
+		c:set('firewall', zone['.name'], 'input', 'REJECT')
+	end
+
+	return true
+end
+c:foreach('firewall', 'zone', reject_input_on_wan)
+
+c:section('firewall', 'rule', 'wan_ssh',
+	  {
+		  name = 'wan_ssh',
+		  src = 'wan',
+		  dest_port = '22',
+		  proto = 'tcp',
+		  target = 'ACCEPT',
+	  }
+)
+
+c:save('firewall')
+c:commit('firewall')