From e4a28823310ab5e6efad5e5053d8080cfc4cd9e1 Mon Sep 17 00:00:00 2001
From: Bastian Maeuser <mephisto@mephis.to>
Date: Thu, 9 May 2019 22:23:35 +0200
Subject: [PATCH] Block FastD Connections to the Client Bridge

---
 roles/exit-ip/templates/rules.v4.j2 | 2 ++
 roles/exit-ip/templates/rules.v6.j2 | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/roles/exit-ip/templates/rules.v4.j2 b/roles/exit-ip/templates/rules.v4.j2
index 0e23d23..50a09d6 100644
--- a/roles/exit-ip/templates/rules.v4.j2
+++ b/roles/exit-ip/templates/rules.v4.j2
@@ -8,6 +8,8 @@
 COMMIT
 *filter
 :INPUT ACCEPT [1124:131621]
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [1151:175226]
diff --git a/roles/exit-ip/templates/rules.v6.j2 b/roles/exit-ip/templates/rules.v6.j2
index 837d8db..158a650 100644
--- a/roles/exit-ip/templates/rules.v6.j2
+++ b/roles/exit-ip/templates/rules.v6.j2
@@ -1,6 +1,8 @@
 # {{ ansible_managed }}
 *filter
 :INPUT ACCEPT [0:0]
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [0:0]