From a8a0afa6c06ac1d0a02d2b998d29bddd0d5b516d Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 1/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index c7324525..021a11ff 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10705,6 +10705,23 @@ static int do_wan2lan(FILE *fp) return(0); } +/* + * Procedure : do_block_SSH_wan + * Purpose : To block SSH from WAN IP + * Parameters : + * fp : An open file to write wan2lan rules to + * Return Values : + * 0 : Success + */ + +static int do_block_SSH_wan(FILE *fp) +{ + FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); + fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); + return(0); +} + /* ========================================================================== Ephemeral filter rules @@ -13710,6 +13727,8 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); + if(isWanReady) + do_block_SSH_wan(filter_fp); #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK if(isWanServiceReady) From 902608a07994c057589f1fdf960bc0aa29a06090 Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 2/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 021a11ff..f4f85d96 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10713,7 +10713,7 @@ static int do_wan2lan(FILE *fp) * Return Values : * 0 : Success */ - +#ifdef _SR213_PRODUCT_REQ_ static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); @@ -10721,6 +10721,7 @@ static int do_block_SSH_wan(FILE *fp) FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); return(0); } +#endif /* ========================================================================== @@ -13727,8 +13728,10 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); +#ifdef _SR213_PRODUCT_REQ_ if(isWanReady) do_block_SSH_wan(filter_fp); +#endif #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK if(isWanServiceReady) From 81cf3622afde4e6c8aea83dfa33d8ed6d03603bb Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 3/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index f4f85d96..91072f90 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10717,8 +10717,8 @@ static int do_wan2lan(FILE *fp) static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); - fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT", current_wan_ipaddr); - FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); + fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan %s \n", current_wan_ipaddr); return(0); } #endif From 42bb7b0ecc3ee2c8d010cc7ffedc20755f98a5cb Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 4/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 91072f90..bc2660cf 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10718,7 +10718,7 @@ static int do_block_SSH_wan(FILE *fp) { FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); - FIREWALL_DEBUG("Exiting do_block_SSH_wan %s \n", current_wan_ipaddr); + FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); return(0); } #endif From c134036295f5cf8b325d5f4ba12304222b646285 Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 5/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index bc2660cf..d360c02e 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10707,9 +10707,9 @@ static int do_wan2lan(FILE *fp) /* * Procedure : do_block_SSH_wan - * Purpose : To block SSH from WAN IP + * Purpose : To block SSH using WAN IP from LAN client * Parameters : - * fp : An open file to write wan2lan rules to + * fp : An open file to write rules to block SSH using WAN IP in LAN client * Return Values : * 0 : Success */ From 7b0f7312f27f32e95f59e98a09e2f8514571282a Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 6/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index d360c02e..87219178 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10706,7 +10706,7 @@ static int do_wan2lan(FILE *fp) } /* - * Procedure : do_block_SSH_wan + * Procedure : do_block_lan_access_to_wan_ssh * Purpose : To block SSH using WAN IP from LAN client * Parameters : * fp : An open file to write rules to block SSH using WAN IP in LAN client @@ -10714,11 +10714,11 @@ static int do_wan2lan(FILE *fp) * 0 : Success */ #ifdef _SR213_PRODUCT_REQ_ -static int do_block_SSH_wan(FILE *fp) +static int do_block_lan_access_to_wan_ssh(FILE *fp) { - FIREWALL_DEBUG("Entering do_block_SSH_wan\n"); + FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n"); fprintf(fp, "-I INPUT 1 -i brlan0 -d %s -p tcp --dport 10022 -j REJECT\n", current_wan_ipaddr); - FIREWALL_DEBUG("Exiting do_block_SSH_wan\n"); + FIREWALL_DEBUG("Exiting do_block_lan_access_to_wan_ssh\n"); return(0); } #endif @@ -13730,7 +13730,7 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_filter_table_general_rules(filter_fp); #ifdef _SR213_PRODUCT_REQ_ if(isWanReady) - do_block_SSH_wan(filter_fp); + do_block_lan_access_to_wan_ssh(filter_fp); #endif #if defined(SPEED_BOOST_SUPPORTED) WAN_FAILOVER_SUPPORT_CHECK From 486613b5c5cf5aea7a9ef6d04843e734191218c5 Mon Sep 17 00:00:00 2001 From: usi096 Date: Tue, 27 Jan 2026 07:29:42 +0000 Subject: [PATCH 7/7] RDKB-62412 LAN SSH dropbear allows wan SSH Signed-off-by: usi096 --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 87219178..370854d4 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -10713,7 +10713,7 @@ static int do_wan2lan(FILE *fp) * Return Values : * 0 : Success */ -#ifdef _SR213_PRODUCT_REQ_ +#if defined(_SR213_PRODUCT_REQ_) || defined(_SCER11BEL_PRODUCT_REQ_) static int do_block_lan_access_to_wan_ssh(FILE *fp) { FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n"); @@ -13728,7 +13728,7 @@ static int prepare_enabled_ipv4_firewall(FILE *raw_fp, FILE *mangle_fp, FILE *na do_lan2wan(mangle_fp, filter_fp, nat_fp); do_wan2lan(filter_fp); do_filter_table_general_rules(filter_fp); -#ifdef _SR213_PRODUCT_REQ_ +#if defined(_SR213_PRODUCT_REQ_) || defined(_SCER11BEL_PRODUCT_REQ_) if(isWanReady) do_block_lan_access_to_wan_ssh(filter_fp); #endif