option proto udp
option target ACCEPT
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables. if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+ option name Support-UDP-Traceroute
+ option src wan
+ option dest_port 33434:33689
+ option proto udp
+ option family ipv4
+ option target REJECT
+ option enabled false
+
# include a file with users custom iptables rules
config include
option path /etc/firewall.user