6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
50 option name Allow-IGMP
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
59 option name Allow-DHCPv6
62 option src_ip fc00::/6
63 option dest_ip fc00::/6
72 option src_ip fe80::/10
73 list icmp_type '130/0'
74 list icmp_type '131/0'
75 list icmp_type '132/0'
76 list icmp_type '143/0'
80 # Allow essential incoming IPv6 ICMP traffic
82 option name Allow-ICMPv6-Input
85 list icmp_type echo-request
86 list icmp_type echo-reply
87 list icmp_type destination-unreachable
88 list icmp_type packet-too-big
89 list icmp_type time-exceeded
90 list icmp_type bad-header
91 list icmp_type unknown-header-type
92 list icmp_type router-solicitation
93 list icmp_type neighbour-solicitation
94 list icmp_type router-advertisement
95 list icmp_type neighbour-advertisement
100 # Allow essential forwarded IPv6 ICMP traffic
102 option name Allow-ICMPv6-Forward
106 list icmp_type echo-request
107 list icmp_type echo-reply
108 list icmp_type destination-unreachable
109 list icmp_type packet-too-big
110 list icmp_type time-exceeded
111 list icmp_type bad-header
112 list icmp_type unknown-header-type
113 option limit 1000/sec
118 option name Allow-IPSec-ESP
125 option name Allow-ISAKMP
132 # include a file with users custom iptables rules
134 option path /etc/firewall.user
137 ### EXAMPLE CONFIG SECTIONS
138 # do not allow a specific ip to access wan
141 # option src_ip 192.168.45.2
144 # option target REJECT
146 # block a specific mac on wan
149 # option src_mac 00:11:22:33:44:66
150 # option target REJECT
152 # block incoming ICMP traffic on a zone
158 # port redirect port coming in on wan to lan
161 # option src_dport 80
163 # option dest_ip 192.168.16.235
164 # option dest_port 80
167 # port redirect of remapped ssh port (22001) on wan
170 # option src_dport 22001
172 # option dest_port 22
175 ### FULL CONFIG SECTIONS
178 # option src_ip 192.168.45.2
179 # option src_mac 00:11:22:33:44:55
182 # option dest_ip 194.25.2.129
183 # option dest_port 120
185 # option target REJECT
189 # option src_ip 192.168.45.2
190 # option src_mac 00:11:22:33:44:55
191 # option src_port 1024
192 # option src_dport 80
193 # option dest_ip 194.25.2.129
194 # option dest_port 120