From 72084774f1231599f2f8da80dcb9cdaef93320d5 Mon Sep 17 00:00:00 2001 From: usi096 Date: Fri, 27 Feb 2026 15:35:17 +0000 Subject: [PATCH 1/2] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 6556979f..0f48a7bd 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10783,6 +10783,24 @@ static int do_wan2lan(FILE *fp) return(0); } +/* + * Procedure : do_block_lan_access_to_wan_ssh + * Purpose : To block SSH using WAN IP from LAN client + * Parameters : + * fp : An open file to write rules to block SSH using WAN IP in LAN client + * Return Values : + * 0 : Success + */ +#if defined(_SR213_PRODUCT_REQ_) || defined(_SCER11BEL_PRODUCT_REQ_) +static int do_block_lan_access_to_wan_ssh(FILE *fp) +{ + FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n"); + fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_lan_access_to_wan_ssh\n"); + return(0); +} +#endif + /* ========================================================================== Ephemeral filter rules @@ -13844,6 +13862,10 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); +#if defined(_SR213_PRODUCT_REQ_) || defined(_SCER11BEL_PRODUCT_REQ_) + if(isWanReady) + do_block_lan_access_to_wan_ssh(filter_fp); +#endif #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK if(isWanServiceReady) From c9a6fe000585e9d9a88c871de6b1568c66f9fdbf Mon Sep 17 00:00:00 2001 From: usi096 Date: Fri, 27 Feb 2026 15:35:17 +0000 Subject: [PATCH 2/2] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 0f48a7bd..24f1250f 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10795,7 +10795,7 @@ static int do_wan2lan(FILE *fp) static int do_block_lan_access_to_wan_ssh(FILE *fp) { FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n"); - fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); + fprintf(fp, "-I INPUT 1 -i %s -d %s -p tcp --dport 10022 -j REJECT\n", lan_ifname, current_wan_ipaddr); FIREWALL_DEBUG("Exiting do_block_lan_access_to_wan_ssh\n"); return(0); }