summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/firewall/firewall.init.in6
1 files changed, 5 insertions, 1 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index 5904a3d..4d8608f 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -56,7 +56,11 @@ start () {
# set up post-firewall hook
iptables -N VYATTA_POST_FW_HOOK
iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
- iptables -A INPUT -j VYATTA_POST_FW_HOOK
+
+ # enforce strict host matching (see bug 4061)
+ iptables -P INPUT -j DROP
+ iptables -A INPUT -m strict -j VYATTA_POST_FW_HOOK
+
iptables -A FORWARD -j VYATTA_POST_FW_HOOK
# set up pre-SNAT hook
generated by cgit v1.2.3 (git 2.39.1) at 2026-06-01 03:20:16 +0000