package/firewall/files/firewall.config

   1 config defaults
   2         option syn_flood        1
   3         option input            ACCEPT
   4         option output           ACCEPT
   5         option forward          REJECT
   6 # Uncomment this line to disable ipv6 rules
   7 #       option disable_ipv6     1
   8
   9 config zone
  10         option name             lan
  11         option input    ACCEPT
  12         option output   ACCEPT
  13         option forward  REJECT
  14
  15 config zone
  16         option name             wan
  17         option input    REJECT
  18         option output   ACCEPT
  19         option forward  REJECT
  20         option masq             1
  21         option mtu_fix  1
  22
  23 config forwarding
  24         option src      lan
  25         option dest     wan
  26
  27 # We need to accept udp packets on port 68,
  28 # see https://dev.openwrt.org/ticket/4108
  29 config rule
  30         option src              wan
  31         option proto            udp
  32         option dest_port        68
  33         option target           ACCEPT
  34         option family   ipv4
  35
  36 #Allow ping
  37 config rule
  38         option src wan
  39         option proto icmp
  40         option icmp_type echo-request
  41         option target ACCEPT
  42
  43 # include a file with users custom iptables rules
  44 config include
  45         option path /etc/firewall.user
  46
  47
  48 ### EXAMPLE CONFIG SECTIONS
  49 # do not allow a specific ip to access wan
  50 #config rule
  51 #       option src              lan
  52 #       option src_ip   192.168.45.2
  53 #       option dest             wan
  54 #       option proto    tcp
  55 #       option target   REJECT
  56
  57 # block a specific mac on wan
  58 #config rule
  59 #       option dest             wan
  60 #       option src_mac  00:11:22:33:44:66
  61 #       option target   REJECT
  62
  63 # block incoming ICMP traffic on a zone
  64 #config rule
  65 #       option src              lan
  66 #       option proto    ICMP
  67 #       option target   DROP
  68
  69 # port redirect port coming in on wan to lan
  70 #config redirect
  71 #       option src                      wan
  72 #       option src_dport        80
  73 #       option dest                     lan
  74 #       option dest_ip          192.168.16.235
  75 #       option dest_port        80
  76 #       option proto            tcp
  77
  78
  79 ### FULL CONFIG SECTIONS
  80 #config rule
  81 #       option src              lan
  82 #       option src_ip   192.168.45.2
  83 #       option src_mac  00:11:22:33:44:55
  84 #       option src_port 80
  85 #       option dest             wan
  86 #       option dest_ip  194.25.2.129
  87 #       option dest_port        120
  88 #       option proto    tcp
  89 #       option target   REJECT
  90
  91 #config redirect
  92 #       option src              lan
  93 #       option src_ip   192.168.45.2
  94 #       option src_mac  00:11:22:33:44:55
  95 #       option src_port         1024
  96 #       option src_dport        80
  97 #       option dest_ip  194.25.2.129
  98 #       option dest_port        120
  99 #       option proto    tcp