Home Explore Help
Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

firewall: config: drop input traffic by default

This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest.  Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <[email protected]>
Baptiste Jonglez 3 years ago
parent
5b7c99bc4c
commit
ef597b026b
1 changed files with 1 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      package/network/config/firewall/files/firewall.config

+ 1 - 1
package/network/config/firewall/files/firewall.config
View File 

@@ -1,6 +1,6 @@
 
 config defaults
 
 config defaults
 
 	option syn_flood	1
 
 	option syn_flood	1
 
-	option input		ACCEPT
 
+	option input		REJECT
 
 	option output		ACCEPT
 
 	option output		ACCEPT
 
 	option forward		REJECT
 
 	option forward		REJECT
 
 # Uncomment this line to disable ipv6 rules
 
 # Uncomment this line to disable ipv6 rules