diff --git a/root/etc/config/firewall b/root/etc/config/firewall
index 48b2440..0c0e2c2 100644
--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -33,10 +33,19 @@ config rule
 	option name		Allow-DHCP-Renew
 	option src		wan
 	option proto		udp
+	option src_port		67
 	option dest_port	68
 	option target		ACCEPT
 	option family		ipv4
 
+config rule
+	option name		Drop-DHCP-Unsolicited
+	option src		wan
+	option proto		udp
+	option dst_port		68
+	option target		DROP
+	option family		ipv4
+
 # Allow IPv4 ping
 config rule
 	option name		Allow-Ping
@@ -59,10 +68,19 @@ config rule
 	option name		Allow-DHCPv6
 	option src		wan
 	option proto		udp
+	option src_port		547
 	option dest_port	546
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Drop-DHCPv6-Unsolicited
+	option src		wan
+	option proto		udp
+	option dest_port	546
+	option family		ipv6
+	option target		DROP
+
 config rule
 	option name		Allow-MLD
 	option src		wan