Skip to content

SHARMAN-4090 WAN SSH is successful without authentication#354

Open
umasankar098 wants to merge 4 commits into
rdkcentral:developfrom
umasankar098:SHARMAN-4090
Open

SHARMAN-4090 WAN SSH is successful without authentication#354
umasankar098 wants to merge 4 commits into
rdkcentral:developfrom
umasankar098:SHARMAN-4090

Conversation

@umasankar098

Copy link
Copy Markdown
Contributor

Reason for change: Creating a firewall rule to block SSH using WAN IP from LAN client

Test Procedure: NA

Risks: LOW

Priority: P1

Reason for change: Creating a firewall rule to block SSH using WAN IP from LAN client

Test Procedure: NA

Risks: LOW

Priority: P1

Signed-off-by: usi096 <umasankar.srinivasan@sky.uk>
Copilot AI review requested due to automatic review settings June 24, 2026 10:32
@umasankar098 umasankar098 requested review from a team as code owners June 24, 2026 10:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces firewall rules intended to prevent LAN clients from reaching the device’s SSH service via the device’s WAN IP address (port 10022), addressing SHARMAN-4090.

Changes:

  • Add IPv4 INPUT rules to reject LAN-interface TCP/10022 traffic destined to the current WAN IPv4 address.
  • Attempt to add an IPv6 INPUT rule to drop TCP/10022 via a direct ip6tables command.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread source/firewall/firewall.c Outdated
{
FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n");
fprintf(fp, "-I INPUT 1 -i %s -d %s -p tcp --dport 10022 -j REJECT\n", lan_ifname, current_wan_ipaddr);
fprintf(fp, "-I INPUT 2 -i %s -d %s -p tcp --dport 10022 -j ACCEPT\n", lan_ifname, current_lan_ipaddr);
Comment thread source/firewall/firewall.c Outdated
FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n");
fprintf(fp, "-I INPUT 1 -i %s -d %s -p tcp --dport 10022 -j REJECT\n", lan_ifname, current_wan_ipaddr);
fprintf(fp, "-I INPUT 2 -i %s -d %s -p tcp --dport 10022 -j ACCEPT\n", lan_ifname, current_lan_ipaddr);
v_secure_system("ip6tables -I INPUT 1 -p tcp --dport 10022 -j DROP");
Reason for change: Creating a firewall rule to block SSH using WAN IP from LAN client

Test Procedure: NA

Risks: LOW

Priority: P1

Signed-off-by: usi096 <umasankar.srinivasan@sky.uk>
Reason for change: Creating a firewall rule to block SSH using WAN IP from LAN client

Test Procedure: NA

Risks: LOW

Priority: P1

Signed-off-by: usi096 <umasankar.srinivasan@sky.uk>
Copilot AI review requested due to automatic review settings June 24, 2026 11:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

{
FIREWALL_DEBUG("Entering do_block_lan_access_to_wan_ssh\n");
fprintf(fp, "-I INPUT 1 -i %s -d %s -p tcp --dport 10022 -j REJECT\n", lan_ifname, current_wan_ipaddr);
fprintf(fp, "-I INPUT 2 -i %s -d %s -p tcp --dport 10022 -j ACCEPT\n", lan_ifname, lan_ipaddr);
Comment thread source/firewall/firewall_ipv6.c Outdated
Comment on lines +521 to +523
#if defined(_SR213_PRODUCT_REQ_)
fprintf(fp, "-I INPUT 1 -p tcp --dport 10022 -j DROP\n");
#endif
Reason for change: Creating a firewall rule to block SSH using WAN IP from LAN client

Test Procedure: NA

Risks: LOW

Priority: P1

Signed-off-by: usi096 <umasankar.srinivasan@sky.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants