[PATCH] firewall: provide examples of ssh port relocation on firewall and IPsec passt...
[openwrt/svn-archive/archive.git] / package / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 option input ACCEPT
12 option output ACCEPT
13 option forward REJECT
14
15 config zone
16 option name wan
17 option input REJECT
18 option output ACCEPT
19 option forward REJECT
20 option masq 1
21 option mtu_fix 1
22
23 config forwarding
24 option src lan
25 option dest wan
26
27 # We need to accept udp packets on port 68,
28 # see https://dev.openwrt.org/ticket/4108
29 config rule
30 option src wan
31 option proto udp
32 option dest_port 68
33 option target ACCEPT
34 option family ipv4
35
36 #Allow ping
37 config rule
38 option src wan
39 option proto icmp
40 option icmp_type echo-request
41 option target ACCEPT
42
43 # include a file with users custom iptables rules
44 config include
45 option path /etc/firewall.user
46
47
48 ### EXAMPLE CONFIG SECTIONS
49 # do not allow a specific ip to access wan
50 #config rule
51 # option src lan
52 # option src_ip 192.168.45.2
53 # option dest wan
54 # option proto tcp
55 # option target REJECT
56
57 # block a specific mac on wan
58 #config rule
59 # option dest wan
60 # option src_mac 00:11:22:33:44:66
61 # option target REJECT
62
63 # block incoming ICMP traffic on a zone
64 #config rule
65 # option src lan
66 # option proto ICMP
67 # option target DROP
68
69 # port redirect port coming in on wan to lan
70 #config redirect
71 # option src wan
72 # option src_dport 80
73 # option dest lan
74 # option dest_ip 192.168.16.235
75 # option dest_port 80
76 # option proto tcp
77
78 # port redirect of remapped ssh port (22001) on wan
79 #config redirect
80 # option src wan
81 # option src_dport 22001
82 # option dest lan
83 # option dest_port 22
84 # option proto tcp
85
86 # allow IPsec/ESP and ISAKMP passthrough
87 #config rule
88 # option src wan
89 # option dest lan
90 # option protocol esp
91 # option target ACCEPT
92
93 #config rule
94 # option src wan
95 # option dest lan
96 # option src_port 500
97 # option dest_port 500
98 # option proto udp
99 # option target ACCEPT
100
101 ### FULL CONFIG SECTIONS
102 #config rule
103 # option src lan
104 # option src_ip 192.168.45.2
105 # option src_mac 00:11:22:33:44:55
106 # option src_port 80
107 # option dest wan
108 # option dest_ip 194.25.2.129
109 # option dest_port 120
110 # option proto tcp
111 # option target REJECT
112
113 #config redirect
114 # option src lan
115 # option src_ip 192.168.45.2
116 # option src_mac 00:11:22:33:44:55
117 # option src_port 1024
118 # option src_dport 80
119 # option dest_ip 194.25.2.129
120 # option dest_port 120
121 # option proto tcp