config zone
option name lan
- option network 'lan'
+ list network 'lan'
option input ACCEPT
option output ACCEPT
- option forward REJECT
+ option forward ACCEPT
config zone
option name wan
- option network 'wan'
+ list network 'wan'
+ list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option family ipv4
option target ACCEPT
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option family ipv6
option target ACCEPT
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option family ipv6
option target ACCEPT
-# Block ULA-traffic from leaking out
-config rule
- option name Enforce-ULA-Border-Src
- option src *
- option dest wan
- option proto all
- option src_ip fc00::/7
- option family ipv6
- option target REJECT
-
-config rule
- option name Enforce-ULA-Border-Dest
- option src *
- option dest wan
- option proto all
- option dest_ip fc00::/7
- option family ipv6
- option target REJECT
-
# include a file with users custom iptables rules
config include
option path /etc/firewall.user