6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
50 option name Allow-IGMP
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
59 option name Allow-DHCPv6
62 option src_ip fe80::/10
64 option dest_ip fe80::/10
73 option src_ip fe80::/10
74 list icmp_type '130/0'
75 list icmp_type '131/0'
76 list icmp_type '132/0'
77 list icmp_type '143/0'
81 # Allow essential incoming IPv6 ICMP traffic
83 option name Allow-ICMPv6-Input
86 list icmp_type echo-request
87 list icmp_type echo-reply
88 list icmp_type destination-unreachable
89 list icmp_type packet-too-big
90 list icmp_type time-exceeded
91 list icmp_type bad-header
92 list icmp_type unknown-header-type
93 list icmp_type router-solicitation
94 list icmp_type neighbour-solicitation
95 list icmp_type router-advertisement
96 list icmp_type neighbour-advertisement
101 # Allow essential forwarded IPv6 ICMP traffic
103 option name Allow-ICMPv6-Forward
107 list icmp_type echo-request
108 list icmp_type echo-reply
109 list icmp_type destination-unreachable
110 list icmp_type packet-too-big
111 list icmp_type time-exceeded
112 list icmp_type bad-header
113 list icmp_type unknown-header-type
114 option limit 1000/sec
118 # include a file with users custom iptables rules
120 option path /etc/firewall.user
123 ### EXAMPLE CONFIG SECTIONS
124 # do not allow a specific ip to access wan
127 # option src_ip 192.168.45.2
130 # option target REJECT
132 # block a specific mac on wan
135 # option src_mac 00:11:22:33:44:66
136 # option target REJECT
138 # block incoming ICMP traffic on a zone
144 # port redirect port coming in on wan to lan
147 # option src_dport 80
149 # option dest_ip 192.168.16.235
150 # option dest_port 80
153 # port redirect of remapped ssh port (22001) on wan
156 # option src_dport 22001
158 # option dest_port 22
161 # allow IPsec/ESP and ISAKMP passthrough
165 # option protocol esp
166 # option target ACCEPT
171 # option src_port 500
172 # option dest_port 500
174 # option target ACCEPT
176 ### FULL CONFIG SECTIONS
179 # option src_ip 192.168.45.2
180 # option src_mac 00:11:22:33:44:55
183 # option dest_ip 194.25.2.129
184 # option dest_port 120
186 # option target REJECT
190 # option src_ip 192.168.45.2
191 # option src_mac 00:11:22:33:44:55
192 # option src_port 1024
193 # option src_dport 80
194 # option dest_ip 194.25.2.129
195 # option dest_port 120