d149e77957de1c80358c1e8131920867a193c9ed
[openwrt/staging/chunkeey.git] / package / network / config / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 # Allow DHCPv6 replies
50 # see https://dev.openwrt.org/ticket/10381
51 config rule
52 option name Allow-DHCPv6
53 option src wan
54 option proto udp
55 option src_ip fe80::/10
56 option src_port 547
57 option dest_ip fe80::/10
58 option dest_port 546
59 option family ipv6
60 option target ACCEPT
61
62 # Allow essential incoming IPv6 ICMP traffic
63 config rule
64 option name Allow-ICMPv6-Input
65 option src wan
66 option proto icmp
67 list icmp_type echo-request
68 list icmp_type echo-reply
69 list icmp_type destination-unreachable
70 list icmp_type packet-too-big
71 list icmp_type time-exceeded
72 list icmp_type bad-header
73 list icmp_type unknown-header-type
74 list icmp_type router-solicitation
75 list icmp_type neighbour-solicitation
76 list icmp_type router-advertisement
77 list icmp_type neighbour-advertisement
78 option limit 1000/sec
79 option family ipv6
80 option target ACCEPT
81
82 # Allow essential forwarded IPv6 ICMP traffic
83 config rule
84 option name Allow-ICMPv6-Forward
85 option src wan
86 option dest *
87 option proto icmp
88 list icmp_type echo-request
89 list icmp_type echo-reply
90 list icmp_type destination-unreachable
91 list icmp_type packet-too-big
92 list icmp_type time-exceeded
93 list icmp_type bad-header
94 list icmp_type unknown-header-type
95 option limit 1000/sec
96 option family ipv6
97 option target ACCEPT
98
99 # include a file with users custom iptables rules
100 config include
101 option path /etc/firewall.user
102
103
104 ### EXAMPLE CONFIG SECTIONS
105 # do not allow a specific ip to access wan
106 #config rule
107 # option src lan
108 # option src_ip 192.168.45.2
109 # option dest wan
110 # option proto tcp
111 # option target REJECT
112
113 # block a specific mac on wan
114 #config rule
115 # option dest wan
116 # option src_mac 00:11:22:33:44:66
117 # option target REJECT
118
119 # block incoming ICMP traffic on a zone
120 #config rule
121 # option src lan
122 # option proto ICMP
123 # option target DROP
124
125 # port redirect port coming in on wan to lan
126 #config redirect
127 # option src wan
128 # option src_dport 80
129 # option dest lan
130 # option dest_ip 192.168.16.235
131 # option dest_port 80
132 # option proto tcp
133
134 # port redirect of remapped ssh port (22001) on wan
135 #config redirect
136 # option src wan
137 # option src_dport 22001
138 # option dest lan
139 # option dest_port 22
140 # option proto tcp
141
142 # allow IPsec/ESP and ISAKMP passthrough
143 #config rule
144 # option src wan
145 # option dest lan
146 # option protocol esp
147 # option target ACCEPT
148
149 #config rule
150 # option src wan
151 # option dest lan
152 # option src_port 500
153 # option dest_port 500
154 # option proto udp
155 # option target ACCEPT
156
157 ### FULL CONFIG SECTIONS
158 #config rule
159 # option src lan
160 # option src_ip 192.168.45.2
161 # option src_mac 00:11:22:33:44:55
162 # option src_port 80
163 # option dest wan
164 # option dest_ip 194.25.2.129
165 # option dest_port 120
166 # option proto tcp
167 # option target REJECT
168
169 #config redirect
170 # option src lan
171 # option src_ip 192.168.45.2
172 # option src_mac 00:11:22:33:44:55
173 # option src_port 1024
174 # option src_dport 80
175 # option dest_ip 194.25.2.129
176 # option dest_port 120
177 # option proto tcp