#!/usr/bin/lua

local uci = require('simple-uci').cursor()

uci:delete('firewall', 'wan_announced')

-- Allow respondd port on WAN to allow resolving neighbours over mesh-on-wan
uci:section('firewall', 'rule', 'wan_respondd',
  {
    name = 'wan_respondd',
    src = 'wan',
    src_ip = 'fe80::/64',
    dest_port = '1001',
    proto = 'udp',
    target = 'ACCEPT',
  }
)

-- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside
uci:section('firewall', 'rule', 'client_respondd',
  {
    name = 'client_respondd',
    src = 'client',
    src_ip = '!fe80::/64',
    dest_port = '1001',
    proto = 'udp',
    target = 'REJECT',
  }
)

uci:save('firewall')