From a8a0afa6c06ac1d0a02d2b998d29bddd0d5b516d Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 1/5] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index c7324525..021a11ff 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10705,6 +10705,23 @@ static int do_wan2lan(FILE *fp) return(0); } +/* + * Procedure : do_block_SSH_wan + * Purpose : To block SSH from WAN IP + * Parameters : + * fp : An open file to write wan2lan rules to + * Return Values : + * 0 : Success + */ + +static int do_block_SSH_wan(FILE *fp) +{ + FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); + fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); + return(0); +} + /* ========================================================================== Ephemeral filter rules @@ -13710,6 +13727,8 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); + if(isWanReady) + do_block_SSH_wan(filter_fp); #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK if(isWanServiceReady) From 902608a07994c057589f1fdf960bc0aa29a06090 Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 2/5] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 021a11ff..f4f85d96 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10713,7 +10713,7 @@ static int do_wan2lan(FILE *fp) * Return Values : * 0 : Success */ - +#ifdef _SR213_PRODUCT_REQ_ static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); @@ -10721,6 +10721,7 @@ static int do_block_SSH_wan(FILE *fp) FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); return(0); } +#endif /* ========================================================================== @@ -13727,8 +13728,10 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); +#ifdef _SR213_PRODUCT_REQ_ if(isWanReady) do_block_SSH_wan(filter_fp); +#endif #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK if(isWanServiceReady) From 81cf3622afde4e6c8aea83dfa33d8ed6d03603bb Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 3/5] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index f4f85d96..91072f90 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10717,8 +10717,8 @@ static int do_wan2lan(FILE *fp) static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); - fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT", current_wan_ipaddr); - FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); + fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan %s \n", current_wan_ipaddr); return(0); } #endif From 42bb7b0ecc3ee2c8d010cc7ffedc20755f98a5cb Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 4/5] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 91072f90..bc2660cf 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10718,7 +10718,7 @@ static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); - FIREWALL_DEBUG("Exiting do_block_SSH_wan %s \n", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); return(0); } #endif From c134036295f5cf8b325d5f4ba12304222b646285 Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 5/5] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index bc2660cf..d360c02e 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10707,9 +10707,9 @@ static int do_wan2lan(FILE *fp) /* * Procedure : do_block_SSH_wan - * Purpose : To block SSH from WAN IP + * Purpose : To block SSH using WAN IP from LAN client * Parameters : - * fp : An open file to write wan2lan rules to + * fp : An open file to write rules to block SSH using WAN IP in LAN client * Return Values : * 0 : Success */