firewall: add rule for traceroute support

[openwrt/openwrt.git] / package / network / config / firewall / files / firewall.config

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 8874e9882c3083932fc90e061739dc265992eb61..5e22f984ce9f9e0ef3bd63f73816356c2dd1d8df 100644 (file)
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -129,6 +129,19 @@ config rule
        option proto            udp
        option target           ACCEPT
 
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+       option name             Support-UDP-Traceroute
+       option src              wan
+       option dest_port        33434:33689
+       option proto            udp
+       option family           ipv4
+       option target           REJECT
+       option enabled          false
+
 # include a file with users custom iptables rules
 config include
        option path /etc/firewall.user