package/firewall/files/firewall.config

   1 config defaults
   2         option syn_flood        1
   3         option input            ACCEPT
   4         option output           ACCEPT
   5         option forward          REJECT
   6
   7 config zone
   8         option name             lan
   9         option input    ACCEPT
  10         option output   ACCEPT
  11         option forward  REJECT
  12
  13 config zone
  14         option name             wan
  15         option input    REJECT
  16         option output   ACCEPT
  17         option forward  REJECT
  18         option masq             1
  19         option mtu_fix  1
  20
  21 config forwarding
  22         option src      lan
  23         option dest     wan
  24
  25 # We need to accept udp packets on port 68,
  26 # see https://dev.openwrt.org/ticket/4108
  27 config rule
  28         option src              wan
  29         option proto            udp
  30         option dest_port        68
  31         option target           ACCEPT
  32
  33 # include a file with users custom iptables rules
  34 config include
  35         option path /etc/firewall.user
  36
  37
  38 ### EXAMPLE CONFIG SECTIONS
  39 # do not allow a specific ip to access wan
  40 #config rule
  41 #       option src              lan
  42 #       option src_ip   192.168.45.2
  43 #       option dest             wan
  44 #       option proto    tcp
  45 #       option target   REJECT
  46
  47 # block a specific mac on wan
  48 #config rule
  49 #       option dest             wan
  50 #       option src_mac  00:11:22:33:44:66
  51 #       option target   REJECT
  52
  53 # block incoming ICMP traffic on a zone
  54 #config rule
  55 #       option src              lan
  56 #       option proto    ICMP
  57 #       option target   DROP
  58
  59 # port redirect port coming in on wan to lan
  60 #config redirect
  61 #       option src                      wan
  62 #       option src_dport        80
  63 #       option dest                     lan
  64 #       option dest_ip          192.168.16.235
  65 #       option dest_port        80
  66 #       option proto            tcp
  67
  68
  69 ### FULL CONFIG SECTIONS
  70 #config rule
  71 #       option src              lan
  72 #       option src_ip   192.168.45.2
  73 #       option src_mac  00:11:22:33:44:55
  74 #       option src_port 80
  75 #       option dest             wan
  76 #       option dest_ip  194.25.2.129
  77 #       option dest_port        120
  78 #       option proto    tcp
  79 #       option target   REJECT
  80
  81 #config redirect
  82 #       option src              lan
  83 #       option src_ip   192.168.45.2
  84 #       option src_mac  00:11:22:33:44:55
  85 #       option src_port         1024
  86 #       option src_dport        80
  87 #       option dest_ip  194.25.2.129
  88 #       option dest_port        120
  89 #       option proto    tcp