projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
comgt: add missing file (fixes #10301)
[openwrt/openwrt.git] / package / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 option network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward REJECT
15
16 config zone
17 option name wan
18 option network 'wan'
19 option input REJECT
20 option output ACCEPT
21 option forward REJECT
22 option masq 1
23 option mtu_fix 1
24
25 config forwarding
26 option src lan
27 option dest wan
28
29 # We need to accept udp packets on port 68,
30 # see https://dev.openwrt.org/ticket/4108
31 config rule
32 option src wan
33 option proto udp
34 option dest_port 68
35 option target ACCEPT
36 option family ipv4
37
38 # Allow IPv4 ping
39 config rule
40 option src wan
41 option proto icmp
42 option icmp_type echo-request
43 option family ipv4
44 option target ACCEPT
45
46 # Allow essential incoming IPv6 ICMP traffic
47 config rule
48 option src wan
49 option proto icmp
50 list icmp_type echo-request
51 list icmp_type destination-unreachable
52 list icmp_type packet-too-big
53 list icmp_type time-exceeded
54 list icmp_type bad-header
55 list icmp_type unknown-header-type
56 list icmp_type router-solicitation
57 list icmp_type neighbour-solicitation
58 option limit 1000/sec
59 option family ipv6
60 option target ACCEPT
61
62 # Allow essential forwarded IPv6 ICMP traffic
63 config rule
64 option src wan
65 option dest *
66 option proto icmp
67 list icmp_type echo-request
68 list icmp_type destination-unreachable
69 list icmp_type packet-too-big
70 list icmp_type time-exceeded
71 list icmp_type bad-header
72 list icmp_type unknown-header-type
73 option limit 1000/sec
74 option family ipv6
75 option target ACCEPT
76
77 # include a file with users custom iptables rules
78 config include
79 option path /etc/firewall.user
80
81
82 ### EXAMPLE CONFIG SECTIONS
83 # do not allow a specific ip to access wan
84 #config rule
85 # option src lan
86 # option src_ip 192.168.45.2
87 # option dest wan
88 # option proto tcp
89 # option target REJECT
90
91 # block a specific mac on wan
92 #config rule
93 # option dest wan
94 # option src_mac 00:11:22:33:44:66
95 # option target REJECT
96
97 # block incoming ICMP traffic on a zone
98 #config rule
99 # option src lan
100 # option proto ICMP
101 # option target DROP
102
103 # port redirect port coming in on wan to lan
104 #config redirect
105 # option src wan
106 # option src_dport 80
107 # option dest lan
108 # option dest_ip 192.168.16.235
109 # option dest_port 80
110 # option proto tcp
111
112 # port redirect of remapped ssh port (22001) on wan
113 #config redirect
114 # option src wan
115 # option src_dport 22001
116 # option dest lan
117 # option dest_port 22
118 # option proto tcp
119
120 # allow IPsec/ESP and ISAKMP passthrough
121 #config rule
122 # option src wan
123 # option dest lan
124 # option protocol esp
125 # option target ACCEPT
126
127 #config rule
128 # option src wan
129 # option dest lan
130 # option src_port 500
131 # option dest_port 500
132 # option proto udp
133 # option target ACCEPT
134
135 ### FULL CONFIG SECTIONS
136 #config rule
137 # option src lan
138 # option src_ip 192.168.45.2
139 # option src_mac 00:11:22:33:44:55
140 # option src_port 80
141 # option dest wan
142 # option dest_ip 194.25.2.129
143 # option dest_port 120
144 # option proto tcp
145 # option target REJECT
146
147 #config redirect
148 # option src lan
149 # option src_ip 192.168.45.2
150 # option src_mac 00:11:22:33:44:55
151 # option src_port 1024
152 # option src_dport 80
153 # option dest_ip 194.25.2.129
154 # option dest_port 120
155 # option proto tcp
OpenWrt Source Repository