projects / openwrt.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
scripts/download.pl: fix sourceforge url
[openwrt.git] / package / firewall / files / firewall.config
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index c7bc798..77832ff 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -29,6 +29,7 @@ config forwarding
 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
 config rule
 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
 config rule
+       option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option src              wan
        option proto            udp
        option dest_port        68
@@ -37,37 +38,58 @@ config rule
 
 # Allow IPv4 ping
 config rule
 
 # Allow IPv4 ping
 config rule
+       option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT
 
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT
 
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+       option name             Allow-DHCPv6
+       option src              wan
+       option proto            udp
+       option src_ip           fe80::/10
+       option src_port         547
+       option dest_ip          fe80::/10
+       option dest_port        546
+       option family           ipv6
+       option target           ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 # Allow essential incoming IPv6 ICMP traffic
-config rule                                   
+config rule
+       option name             Allow-ICMPv6-Input
        option src              wan
        option src              wan
-       option dest             *
-       option proto            icmp
-       list icmp_type          router-solicitation
-       list icmp_type          router-advertisement
-       list icmp_type          neighbour-solicitation
-       list icmp_type          neighbour-advertisement
+       option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       list icmp_type          router-solicitation
+       list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
 
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
 
-# Drop leaking router advertisements on WAN
-config rule
-       option src              *
-       option dest             wan
+# Allow essential forwarded IPv6 ICMP traffic
+config rule                                   
+       option name             Allow-ICMPv6-Forward
+       option src              wan
+       option dest             *
        option proto            icmp
        option proto            icmp
-       option icmp_type        router-advertisement
+       list icmp_type          echo-request
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       option limit            1000/sec
        option family           ipv6
        option family           ipv6
-       option target           DROP
+       option target           ACCEPT
 
 # include a file with users custom iptables rules
 config include
 
 # include a file with users custom iptables rules
 config include
Personal OpenWRT clone
This page took 0.023609 seconds and 4 git commands to generate.