projects / openwrt / staging / chunkeey.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ipq40xx: only include ath10k-board-qca4019 for the generic subtarget
[openwrt/staging/chunkeey.git] / package / network / config / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 config rule
50 option name Allow-IGMP
51 option src wan
52 option proto igmp
53 option family ipv4
54 option target ACCEPT
55
56 # Allow DHCPv6 replies
57 # see https://github.com/openwrt/openwrt/issues/5066
58 config rule
59 option name Allow-DHCPv6
60 option src wan
61 option proto udp
62 option dest_port 546
63 option family ipv6
64 option target ACCEPT
65
66 config rule
67 option name Allow-MLD
68 option src wan
69 option proto icmp
70 option src_ip fe80::/10
71 list icmp_type '130/0'
72 list icmp_type '131/0'
73 list icmp_type '132/0'
74 list icmp_type '143/0'
75 option family ipv6
76 option target ACCEPT
77
78 # Allow essential incoming IPv6 ICMP traffic
79 config rule
80 option name Allow-ICMPv6-Input
81 option src wan
82 option proto icmp
83 list icmp_type echo-request
84 list icmp_type echo-reply
85 list icmp_type destination-unreachable
86 list icmp_type packet-too-big
87 list icmp_type time-exceeded
88 list icmp_type bad-header
89 list icmp_type unknown-header-type
90 list icmp_type router-solicitation
91 list icmp_type neighbour-solicitation
92 list icmp_type router-advertisement
93 list icmp_type neighbour-advertisement
94 option limit 1000/sec
95 option family ipv6
96 option target ACCEPT
97
98 # Allow essential forwarded IPv6 ICMP traffic
99 config rule
100 option name Allow-ICMPv6-Forward
101 option src wan
102 option dest *
103 option proto icmp
104 list icmp_type echo-request
105 list icmp_type echo-reply
106 list icmp_type destination-unreachable
107 list icmp_type packet-too-big
108 list icmp_type time-exceeded
109 list icmp_type bad-header
110 list icmp_type unknown-header-type
111 option limit 1000/sec
112 option family ipv6
113 option target ACCEPT
114
115 config rule
116 option name Allow-IPSec-ESP
117 option src wan
118 option dest lan
119 option proto esp
120 option target ACCEPT
121
122 config rule
123 option name Allow-ISAKMP
124 option src wan
125 option dest lan
126 option dest_port 500
127 option proto udp
128 option target ACCEPT
129
130 # allow interoperability with traceroute classic
131 # note that traceroute uses a fixed port range, and depends on getting
132 # back ICMP Unreachables. if we're operating in DROP mode, it won't
133 # work so we explicitly REJECT packets on these ports.
134 config rule
135 option name Support-UDP-Traceroute
136 option src wan
137 option dest_port 33434:33689
138 option proto udp
139 option family ipv4
140 option target REJECT
141 option enabled false
142
143 # include a file with users custom iptables rules
144 config include
145 option path /etc/firewall.user
146
147
148 ### EXAMPLE CONFIG SECTIONS
149 # do not allow a specific ip to access wan
150 #config rule
151 # option src lan
152 # option src_ip 192.168.45.2
153 # option dest wan
154 # option proto tcp
155 # option target REJECT
156
157 # block a specific mac on wan
158 #config rule
159 # option dest wan
160 # option src_mac 00:11:22:33:44:66
161 # option target REJECT
162
163 # block incoming ICMP traffic on a zone
164 #config rule
165 # option src lan
166 # option proto ICMP
167 # option target DROP
168
169 # port redirect port coming in on wan to lan
170 #config redirect
171 # option src wan
172 # option src_dport 80
173 # option dest lan
174 # option dest_ip 192.168.16.235
175 # option dest_port 80
176 # option proto tcp
177
178 # port redirect of remapped ssh port (22001) on wan
179 #config redirect
180 # option src wan
181 # option src_dport 22001
182 # option dest lan
183 # option dest_port 22
184 # option proto tcp
185
186 ### FULL CONFIG SECTIONS
187 #config rule
188 # option src lan
189 # option src_ip 192.168.45.2
190 # option src_mac 00:11:22:33:44:55
191 # option src_port 80
192 # option dest wan
193 # option dest_ip 194.25.2.129
194 # option dest_port 120
195 # option proto tcp
196 # option target REJECT
197
198 #config redirect
199 # option src lan
200 # option src_ip 192.168.45.2
201 # option src_mac 00:11:22:33:44:55
202 # option src_port 1024
203 # option src_dport 80
204 # option dest_ip 194.25.2.129
205 # option dest_port 120
206 # option proto tcp
Staging tree of Christian Lamparter