6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
50 option name Allow-IGMP
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
59 option name Allow-DHCPv6
62 option src_ip fc00::/6
63 option dest_ip fc00::/6
72 option src_ip fe80::/10
73 list icmp_type '130/0'
74 list icmp_type '131/0'
75 list icmp_type '132/0'
76 list icmp_type '143/0'
80 # Allow essential incoming IPv6 ICMP traffic
82 option name Allow-ICMPv6-Input
85 list icmp_type echo-request
86 list icmp_type echo-reply
87 list icmp_type destination-unreachable
88 list icmp_type packet-too-big
89 list icmp_type time-exceeded
90 list icmp_type bad-header
91 list icmp_type unknown-header-type
92 list icmp_type router-solicitation
93 list icmp_type neighbour-solicitation
94 list icmp_type router-advertisement
95 list icmp_type neighbour-advertisement
100 # Allow essential forwarded IPv6 ICMP traffic
102 option name Allow-ICMPv6-Forward
106 list icmp_type echo-request
107 list icmp_type echo-reply
108 list icmp_type destination-unreachable
109 list icmp_type packet-too-big
110 list icmp_type time-exceeded
111 list icmp_type bad-header
112 list icmp_type unknown-header-type
113 option limit 1000/sec
117 # include a file with users custom iptables rules
119 option path /etc/firewall.user
122 ### EXAMPLE CONFIG SECTIONS
123 # do not allow a specific ip to access wan
126 # option src_ip 192.168.45.2
129 # option target REJECT
131 # block a specific mac on wan
134 # option src_mac 00:11:22:33:44:66
135 # option target REJECT
137 # block incoming ICMP traffic on a zone
143 # port redirect port coming in on wan to lan
146 # option src_dport 80
148 # option dest_ip 192.168.16.235
149 # option dest_port 80
152 # port redirect of remapped ssh port (22001) on wan
155 # option src_dport 22001
157 # option dest_port 22
160 # allow IPsec/ESP and ISAKMP passthrough
174 ### FULL CONFIG SECTIONS
177 # option src_ip 192.168.45.2
178 # option src_mac 00:11:22:33:44:55
181 # option dest_ip 194.25.2.129
182 # option dest_port 120
184 # option target REJECT
188 # option src_ip 192.168.45.2
189 # option src_mac 00:11:22:33:44:55
190 # option src_port 1024
191 # option src_dport 80
192 # option dest_ip 194.25.2.129
193 # option dest_port 120