From bf9c42a24cb4e91f09262a4e69c610a20e05f98b Mon Sep 17 00:00:00 2001
From: Tim Niemeyer <tim.niemeyer@mastersword.de>
Date: Sun, 30 Sep 2012 11:26:11 +0200
Subject: [PATCH] Statefull Inspektion for WAN Interface

On a router wich is directly connected to the internet, there is lot of traffix
on the WAN port. E.g. ssh bruteforces. That's like a DOS for a small device.

This fixes #395

Signed-off-by: Tim Niemeyer <tim.niemeyer@mastersword.de>
---
 bsp/default/root_file_system/etc/firewall.user | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
index 3f9fbab..8dfa515 100755
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@@ -43,3 +43,8 @@
 
 #solves MTU problem with bad ISP´s
 iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
+# Das wirkt bei kleinen Geräten wir ein DOS
+iptables -I INPUT -i eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -I INPUT -i eth0.2 -j DROP