From 68149f25fd68f96386bc74562e1efb64cf5a1e24 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Fri, 6 Jun 2014 12:59:32 +0200
Subject: [PATCH] Add gluon-firewall package to mitigate open resolver issue

Original patch by Daniel Ehlers <danielehlers@mindeye.net>
---
 package/gluon-firewall/Makefile               | 37 +++++++++++++++++++
 .../firewall/invariant/011-wan-firewall       | 29 +++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 package/gluon-firewall/Makefile
 create mode 100755 package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall

diff --git a/package/gluon-firewall/Makefile b/package/gluon-firewall/Makefile
new file mode 100644
index 000000000..ceb4820ce
--- /dev/null
+++ b/package/gluon-firewall/Makefile
@@ -0,0 +1,37 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-firewall
+PKG_VERSION:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-firewall
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Restrictive firewall rules
+  DEPENDS:=+gluon-core +firewall
+endef
+
+define Package/gluon-firewall/description
+	Gluon community wifi mesh firmware framework:
+	Firewall rules which try to ensure a node can't be abused
+	(e.g. for DNS amplification attacks)
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-firewall/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-firewall))
diff --git a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
new file mode 100755
index 000000000..b63f51938
--- /dev/null
+++ b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
@@ -0,0 +1,29 @@
+#!/usr/bin/lua
+
+local site = require 'gluon.site_config'
+local uci = require 'luci.model.uci'
+
+local c = uci.cursor()
+
+
+local function reject_input_on_wan(zone)
+	if zone.name == 'wan' then
+		c:set('firewall', zone['.name'], 'input', 'REJECT')
+	end
+
+	return true
+end
+c:foreach('firewall', 'zone', reject_input_on_wan)
+
+c:section('firewall', 'rule', 'wan_ssh',
+	  {
+		  name = 'wan_ssh',
+		  src = 'wan',
+		  dest_port = '22',
+		  proto = 'tcp',
+		  target = 'ACCEPT',
+	  }
+)
+
+c:save('firewall')
+c:commit('firewall')
-- 
GitLab