gluon-firewall: reject DNS queries from br-client (they should be accepted on local-node only)

package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules

@@ -26,5 +26,16 @@ c:section('firewall', 'rule', 'wan_ssh',
 	  }
 )
 
+
+c:section('firewall', 'rule', 'client_dns',
+	  {
+		  name = 'client_dns',
+		  src = 'client',
+		  dest_port = '53',
+		  target = 'REJECT',
+	  }
+)
+
+
 c:save('firewall')
 c:commit('firewall')