From: Baptiste Jonglez Date: Wed, 19 Oct 2022 14:49:03 +0000 (+0200) Subject: firewall: config: drop input traffic by default X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=ef597b026bb0351ae909ae1fdaed12e76ddd41b7;p=openwrt%2Fstaging%2Fnbd.git firewall: config: drop input traffic by default This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez --- diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 61cfe665e4..b90ac7af0a 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -1,6 +1,6 @@ config defaults option syn_flood 1 - option input ACCEPT + option input REJECT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules