From b8b52fb096c0aa9d4db0435d18a2e257d000f195 Mon Sep 17 00:00:00 2001
From: Howard Wu <HowardWu20@outlook.com>
Date: Fri, 1 Dec 2023 16:51:29 +0800
Subject: [PATCH] rockchip: don't allow forward by default

For security
Same as the official OpenWrt, only allowed in zone lan
---
 target/linux/rockchip/armv8/base-files/root/setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/linux/rockchip/armv8/base-files/root/setup.sh b/target/linux/rockchip/armv8/base-files/root/setup.sh
index 6e39d7c4b40630..75ccc8b704afc6 100755
--- a/target/linux/rockchip/armv8/base-files/root/setup.sh
+++ b/target/linux/rockchip/armv8/base-files/root/setup.sh
@@ -35,7 +35,7 @@ function init_firewall_ipv6() {
 function init_firewall() {
 	uci set firewall.@defaults[0].input='ACCEPT'
 	uci set firewall.@defaults[0].output='ACCEPT'
-	uci set firewall.@defaults[0].forward='ACCEPT'
+	uci set firewall.@defaults[0].forward='REJECT'
 
 	case "$boardname" in
 	nanopi-r5s | nanopi-r2s | nanopi-r2)