6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
50 option name Allow-IGMP
56 # Allow DHCPv6 replies
57 # see https://github.com/openwrt/openwrt/issues/5066
59 option name Allow-DHCPv6
70 option src_ip fe80::/10
71 list icmp_type '130/0'
72 list icmp_type '131/0'
73 list icmp_type '132/0'
74 list icmp_type '143/0'
78 # Allow essential incoming IPv6 ICMP traffic
80 option name Allow-ICMPv6-Input
83 list icmp_type echo-request
84 list icmp_type echo-reply
85 list icmp_type destination-unreachable
86 list icmp_type packet-too-big
87 list icmp_type time-exceeded
88 list icmp_type bad-header
89 list icmp_type unknown-header-type
90 list icmp_type router-solicitation
91 list icmp_type neighbour-solicitation
92 list icmp_type router-advertisement
93 list icmp_type neighbour-advertisement
98 # Allow essential forwarded IPv6 ICMP traffic
100 option name Allow-ICMPv6-Forward
104 list icmp_type echo-request
105 list icmp_type echo-reply
106 list icmp_type destination-unreachable
107 list icmp_type packet-too-big
108 list icmp_type time-exceeded
109 list icmp_type bad-header
110 list icmp_type unknown-header-type
111 option limit 1000/sec
116 option name Allow-IPSec-ESP
123 option name Allow-ISAKMP
131 ### EXAMPLE CONFIG SECTIONS
132 # do not allow a specific ip to access wan
135 # option src_ip 192.168.45.2
138 # option target REJECT
140 # block a specific mac on wan
143 # option src_mac 00:11:22:33:44:66
144 # option target REJECT
146 # block incoming ICMP traffic on a zone
152 # port redirect port coming in on wan to lan
155 # option src_dport 80
157 # option dest_ip 192.168.16.235
158 # option dest_port 80
161 # port redirect of remapped ssh port (22001) on wan
164 # option src_dport 22001
166 # option dest_port 22
169 ### FULL CONFIG SECTIONS
172 # option src_ip 192.168.45.2
173 # option src_mac 00:11:22:33:44:55
176 # option dest_ip 194.25.2.129
177 # option dest_port 120
179 # option target REJECT
183 # option src_ip 192.168.45.2
184 # option src_mac 00:11:22:33:44:55
185 # option src_port 1024
186 # option src_dport 80
187 # option dest_ip 194.25.2.129
188 # option dest_port 120