projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[package] firewall: refine default ICMPv6 rules to better conform with RFC4890, do...
[openwrt/svn-archive/archive.git] / package / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 option network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward REJECT
15
16 config zone
17 option name wan
18 option network 'wan'
19 option input REJECT
20 option output ACCEPT
21 option forward REJECT
22 option masq 1
23 option mtu_fix 1
24
25 config forwarding
26 option src lan
27 option dest wan
28
29 # We need to accept udp packets on port 68,
30 # see https://dev.openwrt.org/ticket/4108
31 config rule
32 option src wan
33 option proto udp
34 option dest_port 68
35 option target ACCEPT
36 option family ipv4
37
38 # Allow IPv4 ping
39 config rule
40 option src wan
41 option proto icmp
42 option icmp_type echo-request
43 option family ipv4
44 option target ACCEPT
45
46 # Allow essential incoming IPv6 ICMP traffic
47 config rule
48 option src wan
49 option dest *
50 option proto icmp
51 list icmp_type echo-request
52 list icmp_type destination-unreachable
53 list icmp_type packet-too-big
54 list icmp_type time-exceeded
55 list icmp_type bad-header
56 list icmp_type unknown-header-type
57 option limit 1000/sec
58 option family ipv6
59 option target ACCEPT
60
61 # include a file with users custom iptables rules
62 config include
63 option path /etc/firewall.user
64
65
66 ### EXAMPLE CONFIG SECTIONS
67 # do not allow a specific ip to access wan
68 #config rule
69 # option src lan
70 # option src_ip 192.168.45.2
71 # option dest wan
72 # option proto tcp
73 # option target REJECT
74
75 # block a specific mac on wan
76 #config rule
77 # option dest wan
78 # option src_mac 00:11:22:33:44:66
79 # option target REJECT
80
81 # block incoming ICMP traffic on a zone
82 #config rule
83 # option src lan
84 # option proto ICMP
85 # option target DROP
86
87 # port redirect port coming in on wan to lan
88 #config redirect
89 # option src wan
90 # option src_dport 80
91 # option dest lan
92 # option dest_ip 192.168.16.235
93 # option dest_port 80
94 # option proto tcp
95
96 # port redirect of remapped ssh port (22001) on wan
97 #config redirect
98 # option src wan
99 # option src_dport 22001
100 # option dest lan
101 # option dest_port 22
102 # option proto tcp
103
104 # allow IPsec/ESP and ISAKMP passthrough
105 #config rule
106 # option src wan
107 # option dest lan
108 # option protocol esp
109 # option target ACCEPT
110
111 #config rule
112 # option src wan
113 # option dest lan
114 # option src_port 500
115 # option dest_port 500
116 # option proto udp
117 # option target ACCEPT
118
119 ### FULL CONFIG SECTIONS
120 #config rule
121 # option src lan
122 # option src_ip 192.168.45.2
123 # option src_mac 00:11:22:33:44:55
124 # option src_port 80
125 # option dest wan
126 # option dest_ip 194.25.2.129
127 # option dest_port 120
128 # option proto tcp
129 # option target REJECT
130
131 #config redirect
132 # option src lan
133 # option src_ip 192.168.45.2
134 # option src_mac 00:11:22:33:44:55
135 # option src_port 1024
136 # option src_dport 80
137 # option dest_ip 194.25.2.129
138 # option dest_port 120
139 # option proto tcp
OpenWrt SVN history