projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial commit
[project/firewall4.git] / root / etc / config / firewall
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 config rule
50 option name Allow-IGMP
51 option src wan
52 option proto igmp
53 option family ipv4
54 option target ACCEPT
55
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
58 config rule
59 option name Allow-DHCPv6
60 option src wan
61 option proto udp
62 option src_ip fc00::/6
63 option dest_ip fc00::/6
64 option dest_port 546
65 option family ipv6
66 option target ACCEPT
67
68 config rule
69 option name Allow-MLD
70 option src wan
71 option proto icmp
72 option src_ip fe80::/10
73 list icmp_type '130/0'
74 list icmp_type '131/0'
75 list icmp_type '132/0'
76 list icmp_type '143/0'
77 option family ipv6
78 option target ACCEPT
79
80 # Allow essential incoming IPv6 ICMP traffic
81 config rule
82 option name Allow-ICMPv6-Input
83 option src wan
84 option proto icmp
85 list icmp_type echo-request
86 list icmp_type echo-reply
87 list icmp_type destination-unreachable
88 list icmp_type packet-too-big
89 list icmp_type time-exceeded
90 list icmp_type bad-header
91 list icmp_type unknown-header-type
92 list icmp_type router-solicitation
93 list icmp_type neighbour-solicitation
94 list icmp_type router-advertisement
95 list icmp_type neighbour-advertisement
96 option limit 1000/sec
97 option family ipv6
98 option target ACCEPT
99
100 # Allow essential forwarded IPv6 ICMP traffic
101 config rule
102 option name Allow-ICMPv6-Forward
103 option src wan
104 option dest *
105 option proto icmp
106 list icmp_type echo-request
107 list icmp_type echo-reply
108 list icmp_type destination-unreachable
109 list icmp_type packet-too-big
110 list icmp_type time-exceeded
111 list icmp_type bad-header
112 list icmp_type unknown-header-type
113 option limit 1000/sec
114 option family ipv6
115 option target ACCEPT
116
117 config rule
118 option name Allow-IPSec-ESP
119 option src wan
120 option dest lan
121 option proto esp
122 option target ACCEPT
123
124 config rule
125 option name Allow-ISAKMP
126 option src wan
127 option dest lan
128 option dest_port 500
129 option proto udp
130 option target ACCEPT
131
132
133 ### EXAMPLE CONFIG SECTIONS
134 # do not allow a specific ip to access wan
135 #config rule
136 # option src lan
137 # option src_ip 192.168.45.2
138 # option dest wan
139 # option proto tcp
140 # option target REJECT
141
142 # block a specific mac on wan
143 #config rule
144 # option dest wan
145 # option src_mac 00:11:22:33:44:66
146 # option target REJECT
147
148 # block incoming ICMP traffic on a zone
149 #config rule
150 # option src lan
151 # option proto ICMP
152 # option target DROP
153
154 # port redirect port coming in on wan to lan
155 #config redirect
156 # option src wan
157 # option src_dport 80
158 # option dest lan
159 # option dest_ip 192.168.16.235
160 # option dest_port 80
161 # option proto tcp
162
163 # port redirect of remapped ssh port (22001) on wan
164 #config redirect
165 # option src wan
166 # option src_dport 22001
167 # option dest lan
168 # option dest_port 22
169 # option proto tcp
170
171 ### FULL CONFIG SECTIONS
172 #config rule
173 # option src lan
174 # option src_ip 192.168.45.2
175 # option src_mac 00:11:22:33:44:55
176 # option src_port 80
177 # option dest wan
178 # option dest_ip 194.25.2.129
179 # option dest_port 120
180 # option proto tcp
181 # option target REJECT
182
183 #config redirect
184 # option src lan
185 # option src_ip 192.168.45.2
186 # option src_mac 00:11:22:33:44:55
187 # option src_port 1024
188 # option src_dport 80
189 # option dest_ip 194.25.2.129
190 # option dest_port 120
191 # option proto tcp
OpenWrt nftables firewall