projects / openwrt / staging / dedeckeh.git / blob
? search:


749dbecb974d9f8055d900f4790da72a96cb7f1e
[openwrt/staging/dedeckeh.git] / package / network / config / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 config rule
50 option name Allow-IGMP
51 option src wan
52 option proto igmp
53 option family ipv4
54 option target ACCEPT
55
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
58 config rule
59 option name Allow-DHCPv6
60 option src wan
61 option proto udp
62 option src_ip fc00::/6
63 option dest_ip fc00::/6
64 option dest_port 546
65 option family ipv6
66 option target ACCEPT
67
68 config rule
69 option name Allow-MLD
70 option src wan
71 option proto icmp
72 option src_ip fe80::/10
73 list icmp_type '130/0'
74 list icmp_type '131/0'
75 list icmp_type '132/0'
76 list icmp_type '143/0'
77 option family ipv6
78 option target ACCEPT
79
80 # Allow essential incoming IPv6 ICMP traffic
81 config rule
82 option name Allow-ICMPv6-Input
83 option src wan
84 option proto icmp
85 list icmp_type echo-request
86 list icmp_type echo-reply
87 list icmp_type destination-unreachable
88 list icmp_type packet-too-big
89 list icmp_type time-exceeded
90 list icmp_type bad-header
91 list icmp_type unknown-header-type
92 list icmp_type router-solicitation
93 list icmp_type neighbour-solicitation
94 list icmp_type router-advertisement
95 list icmp_type neighbour-advertisement
96 option limit 1000/sec
97 option family ipv6
98 option target ACCEPT
99
100 # Allow essential forwarded IPv6 ICMP traffic
101 config rule
102 option name Allow-ICMPv6-Forward
103 option src wan
104 option dest *
105 option proto icmp
106 list icmp_type echo-request
107 list icmp_type echo-reply
108 list icmp_type destination-unreachable
109 list icmp_type packet-too-big
110 list icmp_type time-exceeded
111 list icmp_type bad-header
112 list icmp_type unknown-header-type
113 option limit 1000/sec
114 option family ipv6
115 option target ACCEPT
116
117 # include a file with users custom iptables rules
118 config include
119 option path /etc/firewall.user
120
121
122 ### EXAMPLE CONFIG SECTIONS
123 # do not allow a specific ip to access wan
124 #config rule
125 # option src lan
126 # option src_ip 192.168.45.2
127 # option dest wan
128 # option proto tcp
129 # option target REJECT
130
131 # block a specific mac on wan
132 #config rule
133 # option dest wan
134 # option src_mac 00:11:22:33:44:66
135 # option target REJECT
136
137 # block incoming ICMP traffic on a zone
138 #config rule
139 # option src lan
140 # option proto ICMP
141 # option target DROP
142
143 # port redirect port coming in on wan to lan
144 #config redirect
145 # option src wan
146 # option src_dport 80
147 # option dest lan
148 # option dest_ip 192.168.16.235
149 # option dest_port 80
150 # option proto tcp
151
152 # port redirect of remapped ssh port (22001) on wan
153 #config redirect
154 # option src wan
155 # option src_dport 22001
156 # option dest lan
157 # option dest_port 22
158 # option proto tcp
159
160 # allow IPsec/ESP and ISAKMP passthrough
161 config rule
162 option src wan
163 option dest lan
164 option proto esp
165 option target ACCEPT
166
167 config rule
168 option src wan
169 option dest lan
170 option dest_port 500
171 option proto udp
172 option target ACCEPT
173
174 ### FULL CONFIG SECTIONS
175 #config rule
176 # option src lan
177 # option src_ip 192.168.45.2
178 # option src_mac 00:11:22:33:44:55
179 # option src_port 80
180 # option dest wan
181 # option dest_ip 194.25.2.129
182 # option dest_port 120
183 # option proto tcp
184 # option target REJECT
185
186 #config redirect
187 # option src lan
188 # option src_ip 192.168.45.2
189 # option src_mac 00:11:22:33:44:55
190 # option src_port 1024
191 # option src_dport 80
192 # option dest_ip 194.25.2.129
193 # option dest_port 120
194 # option proto tcp
Staging tree of dedeckeh