package/firewall/files/firewall.config

   1 config defaults
   2         option syn_flood        1
   3         option input            ACCEPT
   4         option output           ACCEPT
   5         option forward          REJECT
   6 # Uncomment this line to disable ipv6 rules
   7 #       option disable_ipv6     1
   8
   9 config zone
  10         option name             lan
  11         option network          'lan'
  12         option input            ACCEPT
  13         option output           ACCEPT
  14         option forward          REJECT
  15
  16 config zone
  17         option name             wan
  18         option network          'wan'
  19         option input            REJECT
  20         option output           ACCEPT
  21         option forward          REJECT
  22         option masq             1
  23         option mtu_fix          1
  24
  25 config forwarding
  26         option src              lan
  27         option dest             wan
  28
  29 # We need to accept udp packets on port 68,
  30 # see https://dev.openwrt.org/ticket/4108
  31 config rule
  32         option src              wan
  33         option proto            udp
  34         option dest_port        68
  35         option target           ACCEPT
  36         option family           ipv4
  37
  38 # Allow IPv4 ping
  39 config rule
  40         option src              wan
  41         option proto            icmp
  42         option icmp_type        echo-request
  43         option family           ipv4
  44         option target           ACCEPT
  45
  46 # Allow DHCPv6 replies
  47 # see https://dev.openwrt.org/ticket/10381
  48 config rule
  49         option src              wan
  50         option proto            udp
  51         option src_ip           fe80::/10
  52         option src_port         547
  53         option dest_ip          fe80::/10
  54         option dest_port        546
  55         option family           ipv6
  56         option target           ACCEPT
  57
  58 # Allow essential incoming IPv6 ICMP traffic
  59 config rule
  60         option src              wan
  61         option proto    icmp
  62         list icmp_type          echo-request
  63         list icmp_type          destination-unreachable
  64         list icmp_type          packet-too-big
  65         list icmp_type          time-exceeded
  66         list icmp_type          bad-header
  67         list icmp_type          unknown-header-type
  68         list icmp_type          router-solicitation
  69         list icmp_type          neighbour-solicitation
  70         option limit            1000/sec
  71         option family           ipv6
  72         option target           ACCEPT
  73
  74 # Allow essential forwarded IPv6 ICMP traffic
  75 config rule
  76         option src              wan
  77         option dest             *
  78         option proto            icmp
  79         list icmp_type          echo-request
  80         list icmp_type          destination-unreachable
  81         list icmp_type          packet-too-big
  82         list icmp_type          time-exceeded
  83         list icmp_type          bad-header
  84         list icmp_type          unknown-header-type
  85         option limit            1000/sec
  86         option family           ipv6
  87         option target           ACCEPT
  88
  89 # include a file with users custom iptables rules
  90 config include
  91         option path /etc/firewall.user
  92
  93
  94 ### EXAMPLE CONFIG SECTIONS
  95 # do not allow a specific ip to access wan
  96 #config rule
  97 #       option src              lan
  98 #       option src_ip   192.168.45.2
  99 #       option dest             wan
 100 #       option proto    tcp
 101 #       option target   REJECT
 102
 103 # block a specific mac on wan
 104 #config rule
 105 #       option dest             wan
 106 #       option src_mac  00:11:22:33:44:66
 107 #       option target   REJECT
 108
 109 # block incoming ICMP traffic on a zone
 110 #config rule
 111 #       option src              lan
 112 #       option proto    ICMP
 113 #       option target   DROP
 114
 115 # port redirect port coming in on wan to lan
 116 #config redirect
 117 #       option src                      wan
 118 #       option src_dport        80
 119 #       option dest                     lan
 120 #       option dest_ip          192.168.16.235
 121 #       option dest_port        80
 122 #       option proto            tcp
 123
 124 # port redirect of remapped ssh port (22001) on wan
 125 #config redirect
 126 #       option src              wan
 127 #       option src_dport        22001
 128 #       option dest             lan
 129 #       option dest_port        22
 130 #       option proto            tcp
 131
 132 # allow IPsec/ESP and ISAKMP passthrough
 133 #config rule
 134 #       option src              wan
 135 #       option dest             lan
 136 #       option protocol         esp
 137 #       option target           ACCEPT
 138
 139 #config rule
 140 #       option src              wan
 141 #       option dest             lan
 142 #       option src_port         500
 143 #       option dest_port        500
 144 #       option proto            udp
 145 #       option target           ACCEPT
 146
 147 ### FULL CONFIG SECTIONS
 148 #config rule
 149 #       option src              lan
 150 #       option src_ip   192.168.45.2
 151 #       option src_mac  00:11:22:33:44:55
 152 #       option src_port 80
 153 #       option dest             wan
 154 #       option dest_ip  194.25.2.129
 155 #       option dest_port        120
 156 #       option proto    tcp
 157 #       option target   REJECT
 158
 159 #config redirect
 160 #       option src              lan
 161 #       option src_ip   192.168.45.2
 162 #       option src_mac  00:11:22:33:44:55
 163 #       option src_port         1024
 164 #       option src_dport        80
 165 #       option dest_ip  194.25.2.129
 166 #       option dest_port        120
 167 #       option proto    tcp