package/firewall/files/firewall.config

   1 config defaults
   2         option syn_flood        1
   3         option input            ACCEPT
   4         option output           ACCEPT
   5         option forward          REJECT
   6 # Uncomment this line to disable ipv6 rules
   7 #       option disable_ipv6     1
   8
   9 config zone
  10         option name             lan
  11         option network  'lan'
  12         option input    ACCEPT
  13         option output   ACCEPT
  14         option forward  REJECT
  15
  16 config zone
  17         option name             wan
  18         option network  'wan'
  19         option input    REJECT
  20         option output   ACCEPT
  21         option forward  REJECT
  22         option masq             1
  23         option mtu_fix  1
  24
  25 config forwarding
  26         option src      lan
  27         option dest     wan
  28
  29 # We need to accept udp packets on port 68,
  30 # see https://dev.openwrt.org/ticket/4108
  31 config rule
  32         option src              wan
  33         option proto            udp
  34         option dest_port        68
  35         option target           ACCEPT
  36         option family   ipv4
  37
  38 #Allow ping
  39 config rule
  40         option src wan
  41         option proto icmp
  42         option icmp_type echo-request
  43         option target ACCEPT
  44
  45 # include a file with users custom iptables rules
  46 config include
  47         option path /etc/firewall.user
  48
  49
  50 ### EXAMPLE CONFIG SECTIONS
  51 # do not allow a specific ip to access wan
  52 #config rule
  53 #       option src              lan
  54 #       option src_ip   192.168.45.2
  55 #       option dest             wan
  56 #       option proto    tcp
  57 #       option target   REJECT
  58
  59 # block a specific mac on wan
  60 #config rule
  61 #       option dest             wan
  62 #       option src_mac  00:11:22:33:44:66
  63 #       option target   REJECT
  64
  65 # block incoming ICMP traffic on a zone
  66 #config rule
  67 #       option src              lan
  68 #       option proto    ICMP
  69 #       option target   DROP
  70
  71 # port redirect port coming in on wan to lan
  72 #config redirect
  73 #       option src                      wan
  74 #       option src_dport        80
  75 #       option dest                     lan
  76 #       option dest_ip          192.168.16.235
  77 #       option dest_port        80
  78 #       option proto            tcp
  79
  80 # port redirect of remapped ssh port (22001) on wan
  81 #config redirect
  82 #       option src              wan
  83 #       option src_dport        22001
  84 #       option dest             lan
  85 #       option dest_port        22
  86 #       option proto            tcp
  87
  88 # allow IPsec/ESP and ISAKMP passthrough
  89 #config rule
  90 #       option src              wan
  91 #       option dest             lan
  92 #       option protocol         esp
  93 #       option target           ACCEPT
  94
  95 #config rule
  96 #       option src              wan
  97 #       option dest             lan
  98 #       option src_port         500
  99 #       option dest_port        500
 100 #       option proto            udp
 101 #       option target           ACCEPT
 102
 103 ### FULL CONFIG SECTIONS
 104 #config rule
 105 #       option src              lan
 106 #       option src_ip   192.168.45.2
 107 #       option src_mac  00:11:22:33:44:55
 108 #       option src_port 80
 109 #       option dest             wan
 110 #       option dest_ip  194.25.2.129
 111 #       option dest_port        120
 112 #       option proto    tcp
 113 #       option target   REJECT
 114
 115 #config redirect
 116 #       option src              lan
 117 #       option src_ip   192.168.45.2
 118 #       option src_mac  00:11:22:33:44:55
 119 #       option src_port         1024
 120 #       option src_dport        80
 121 #       option dest_ip  194.25.2.129
 122 #       option dest_port        120
 123 #       option proto    tcp