firewall: Allow IGMP and MLD input on WAN
[openwrt/staging/chunkeey.git] / package / network / config / firewall / files / firewall.config
index 6acfe1e..1a20e39 100644 (file)
@@ -8,14 +8,15 @@ config defaults
 
 config zone
        option name             lan
-       option network          'lan'
+       list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
-       option forward          REJECT
+       option forward          ACCEPT
 
 config zone
        option name             wan
-       option network          'wan'
+       list   network          'wan'
+       list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
@@ -45,6 +46,13 @@ config rule
        option family           ipv4
        option target           ACCEPT
 
+config rule
+       option name             Allow-IGMP
+       option src              wan
+       option proto            igmp
+       option family           ipv4
+       option target           ACCEPT
+
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule
@@ -58,6 +66,18 @@ config rule
        option family           ipv6
        option target           ACCEPT
 
+config rule
+       option name             Allow-MLD
+       option src              wan
+       option proto            icmp
+       option src_ip           fe80::/10
+       list icmp_type          '130/0'
+       list icmp_type          '131/0'
+       list icmp_type          '132/0'
+       list icmp_type          '143/0'
+       option family           ipv6
+       option target           ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 config rule
        option name             Allow-ICMPv6-Input
@@ -95,25 +115,6 @@ config rule
        option family           ipv6
        option target           ACCEPT
 
-# Block ULA-traffic from leaking out
-config rule
-       option name             Enforce-ULA-Border-Src
-       option src              *
-       option dest             wan
-       option proto            all
-       option src_ip           fc00::/7
-       option family           ipv6
-       option target           REJECT
-
-config rule
-       option name             Enforce-ULA-Border-Dest
-       option src              *
-       option dest             wan
-       option proto            all
-       option dest_ip          fc00::/7
-       option family           ipv6
-       option target           REJECT
-
 # include a file with users custom iptables rules
 config include
        option path /etc/firewall.user