Merge branch 'restrict-respondd'

2016-02-05 19:18:40 +01:00 · 2016-02-05 19:18:40 +01:00 · e0e96b7b28
parent 8bfb5fe102 2f499dbfc1
commit e0e96b7b28
1 changed files with 12 additions and 0 deletions
--- a/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall
+++ b/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall
@ -16,5 +16,17 @@ uci:section('firewall', 'rule', 'wan_respondd',
  }
 )

+-- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside
+uci:section('firewall', 'rule', 'client_respondd',
+  {
+    name = 'client_respondd',
+    src = 'client',
+    src_ip = '!fe80::/64',
+    dest_port = '1001',
+    proto = 'udp',
+    target = 'REJECT',
+  }
+)
+
 uci:save('firewall')
 uci:commit('firewall')