From 2f499dbfc1e09a89fc18435aad2bcd9ff955d94d Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Fri, 5 Feb 2016 16:59:27 +0100
Subject: [PATCH] gluon-respondd: restrict queries from the mesh to link-local
 addresses

Restrict to link-local addresses to prevent amplification attacks from
outside the mesh, or such attacks affecting the outside world.

Fixes #637
---
 .../files/lib/gluon/upgrade/400-respondd-firewall    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall b/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall
index 65c5d8e3..c5076830 100755
--- a/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall
+++ b/package/gluon-respondd/files/lib/gluon/upgrade/400-respondd-firewall
@@ -16,5 +16,17 @@ uci:section('firewall', 'rule', 'wan_respondd',
   }
 )
 
+-- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside
+uci:section('firewall', 'rule', 'client_respondd',
+  {
+    name = 'client_respondd',
+    src = 'client',
+    src_ip = '!fe80::/64',
+    dest_port = '1001',
+    proto = 'udp',
+    target = 'REJECT',
+  }
+)
+
 uci:save('firewall')
 uci:commit('firewall')