projects / project / uci.git / blob
? search:


5e22f984ce9f9e0ef3bd63f73816356c2dd1d8df
[project/uci.git] / tests / fuzz / inputs / firewall
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 config rule
50 option name Allow-IGMP
51 option src wan
52 option proto igmp
53 option family ipv4
54 option target ACCEPT
55
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
58 config rule
59 option name Allow-DHCPv6
60 option src wan
61 option proto udp
62 option src_ip fc00::/6
63 option dest_ip fc00::/6
64 option dest_port 546
65 option family ipv6
66 option target ACCEPT
67
68 config rule
69 option name Allow-MLD
70 option src wan
71 option proto icmp
72 option src_ip fe80::/10
73 list icmp_type '130/0'
74 list icmp_type '131/0'
75 list icmp_type '132/0'
76 list icmp_type '143/0'
77 option family ipv6
78 option target ACCEPT
79
80 # Allow essential incoming IPv6 ICMP traffic
81 config rule
82 option name Allow-ICMPv6-Input
83 option src wan
84 option proto icmp
85 list icmp_type echo-request
86 list icmp_type echo-reply
87 list icmp_type destination-unreachable
88 list icmp_type packet-too-big
89 list icmp_type time-exceeded
90 list icmp_type bad-header
91 list icmp_type unknown-header-type
92 list icmp_type router-solicitation
93 list icmp_type neighbour-solicitation
94 list icmp_type router-advertisement
95 list icmp_type neighbour-advertisement
96 option limit 1000/sec
97 option family ipv6
98 option target ACCEPT
99
100 # Allow essential forwarded IPv6 ICMP traffic
101 config rule
102 option name Allow-ICMPv6-Forward
103 option src wan
104 option dest *
105 option proto icmp
106 list icmp_type echo-request
107 list icmp_type echo-reply
108 list icmp_type destination-unreachable
109 list icmp_type packet-too-big
110 list icmp_type time-exceeded
111 list icmp_type bad-header
112 list icmp_type unknown-header-type
113 option limit 1000/sec
114 option family ipv6
115 option target ACCEPT
116
117 config rule
118 option name Allow-IPSec-ESP
119 option src wan
120 option dest lan
121 option proto esp
122 option target ACCEPT
123
124 config rule
125 option name Allow-ISAKMP
126 option src wan
127 option dest lan
128 option dest_port 500
129 option proto udp
130 option target ACCEPT
131
132 # allow interoperability with traceroute classic
133 # note that traceroute uses a fixed port range, and depends on getting
134 # back ICMP Unreachables. if we're operating in DROP mode, it won't
135 # work so we explicitly REJECT packets on these ports.
136 config rule
137 option name Support-UDP-Traceroute
138 option src wan
139 option dest_port 33434:33689
140 option proto udp
141 option family ipv4
142 option target REJECT
143 option enabled false
144
145 # include a file with users custom iptables rules
146 config include
147 option path /etc/firewall.user
148
149
150 ### EXAMPLE CONFIG SECTIONS
151 # do not allow a specific ip to access wan
152 #config rule
153 # option src lan
154 # option src_ip 192.168.45.2
155 # option dest wan
156 # option proto tcp
157 # option target REJECT
158
159 # block a specific mac on wan
160 #config rule
161 # option dest wan
162 # option src_mac 00:11:22:33:44:66
163 # option target REJECT
164
165 # block incoming ICMP traffic on a zone
166 #config rule
167 # option src lan
168 # option proto ICMP
169 # option target DROP
170
171 # port redirect port coming in on wan to lan
172 #config redirect
173 # option src wan
174 # option src_dport 80
175 # option dest lan
176 # option dest_ip 192.168.16.235
177 # option dest_port 80
178 # option proto tcp
179
180 # port redirect of remapped ssh port (22001) on wan
181 #config redirect
182 # option src wan
183 # option src_dport 22001
184 # option dest lan
185 # option dest_port 22
186 # option proto tcp
187
188 ### FULL CONFIG SECTIONS
189 #config rule
190 # option src lan
191 # option src_ip 192.168.45.2
192 # option src_mac 00:11:22:33:44:55
193 # option src_port 80
194 # option dest wan
195 # option dest_ip 194.25.2.129
196 # option dest_port 120
197 # option proto tcp
198 # option target REJECT
199
200 #config redirect
201 # option src lan
202 # option src_ip 192.168.45.2
203 # option src_mac 00:11:22:33:44:55
204 # option src_port 1024
205 # option src_dport 80
206 # option dest_ip 194.25.2.129
207 # option dest_port 120
208 # option proto tcp
OpenWrt Unified Configuration Interface