projects / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[package] firewall:
[openwrt.git] / package / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 option network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward REJECT
15
16 config zone
17 option name wan
18 option network 'wan'
19 option input REJECT
20 option output ACCEPT
21 option forward REJECT
22 option masq 1
23 option mtu_fix 1
24
25 config forwarding
26 option src lan
27 option dest wan
28
29 # We need to accept udp packets on port 68,
30 # see https://dev.openwrt.org/ticket/4108
31 config rule
32 option src wan
33 option proto udp
34 option dest_port 68
35 option target ACCEPT
36 option family ipv4
37
38 # Allow IPv4 ping
39 config rule
40 option src wan
41 option proto icmp
42 option icmp_type echo-request
43 option family ipv4
44 option target ACCEPT
45
46 # Allow essential incoming IPv6 ICMP traffic
47 config rule
48 option src wan
49 option dest *
50 option proto icmp
51 list icmp_type router-solicitation
52 list icmp_type router-advertisement
53 list icmp_type neighbour-solicitation
54 list icmp_type neighbour-advertisement
55 list icmp_type echo-request
56 list icmp_type destination-unreachable
57 list icmp_type packet-too-big
58 list icmp_type time-exceeded
59 option limit 1000/sec
60 option family ipv6
61 option target ACCEPT
62
63 # Drop leaking router advertisements on WAN
64 config rule
65 option src *
66 option dest wan
67 option proto icmp
68 option icmp_type router-advertisement
69 option family ipv6
70 option target DROP
71
72 # include a file with users custom iptables rules
73 config include
74 option path /etc/firewall.user
75
76
77 ### EXAMPLE CONFIG SECTIONS
78 # do not allow a specific ip to access wan
79 #config rule
80 # option src lan
81 # option src_ip 192.168.45.2
82 # option dest wan
83 # option proto tcp
84 # option target REJECT
85
86 # block a specific mac on wan
87 #config rule
88 # option dest wan
89 # option src_mac 00:11:22:33:44:66
90 # option target REJECT
91
92 # block incoming ICMP traffic on a zone
93 #config rule
94 # option src lan
95 # option proto ICMP
96 # option target DROP
97
98 # port redirect port coming in on wan to lan
99 #config redirect
100 # option src wan
101 # option src_dport 80
102 # option dest lan
103 # option dest_ip 192.168.16.235
104 # option dest_port 80
105 # option proto tcp
106
107 # port redirect of remapped ssh port (22001) on wan
108 #config redirect
109 # option src wan
110 # option src_dport 22001
111 # option dest lan
112 # option dest_port 22
113 # option proto tcp
114
115 # allow IPsec/ESP and ISAKMP passthrough
116 #config rule
117 # option src wan
118 # option dest lan
119 # option protocol esp
120 # option target ACCEPT
121
122 #config rule
123 # option src wan
124 # option dest lan
125 # option src_port 500
126 # option dest_port 500
127 # option proto udp
128 # option target ACCEPT
129
130 ### FULL CONFIG SECTIONS
131 #config rule
132 # option src lan
133 # option src_ip 192.168.45.2
134 # option src_mac 00:11:22:33:44:55
135 # option src_port 80
136 # option dest wan
137 # option dest_ip 194.25.2.129
138 # option dest_port 120
139 # option proto tcp
140 # option target REJECT
141
142 #config redirect
143 # option src lan
144 # option src_ip 192.168.45.2
145 # option src_mac 00:11:22:33:44:55
146 # option src_port 1024
147 # option src_dport 80
148 # option dest_ip 194.25.2.129
149 # option dest_port 120
150 # option proto tcp
Personal OpenWRT clone
This page took 0.065034 seconds and 5 git commands to generate.