X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/aa954c1c5dd50c89f91ac2574482ab7c927a3c54..a79b0f5a1ccb2479c01583b70e63644c0c20547c:/package/firewall/files/firewall.config

diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
old mode 100755
new mode 100644
index 073169013..b47823fe2
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -1,25 +1,66 @@
 config defaults
 	option syn_flood	1
-	option input		DROP 
+	option input		ACCEPT
 	option output		ACCEPT 
-	option forward		DROP 
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
 
 config zone
 	option name		lan
-	option input	ACCEPT 
-	option output	ACCEPT 
-	option forward	DROP 
+	option network		'lan'
+	option input		ACCEPT 
+	option output		ACCEPT 
+	option forward		REJECT
 
 config zone
 	option name		wan
-	option input	DROP 
-	option output	ACCEPT 
-	option forward	DROP 
+	option network		'wan'
+	option input		REJECT
+	option output		ACCEPT 
+	option forward		REJECT
 	option masq		1 
+	option mtu_fix		1
 
 config forwarding 
-	option src      lan
-	option dest     wan
+	option src      	lan
+	option dest     	wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule                                   
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
 
 
 ### EXAMPLE CONFIG SECTIONS
@@ -50,12 +91,30 @@ config forwarding
 #	option dest			lan
 #	option dest_ip		192.168.16.235
 #	option dest_port	80 
-#	option protocol		tcp
+#	option proto		tcp
 
-# include a file with users custom iptables rules
-#config include
-#	option path /etc/firewall.user
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
 
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option protocol		esp
+#	option target		ACCEPT
+
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option src_port		500
+#	option dest_port	500
+#	option proto		udp
+#	option target		ACCEPT
 
 ### FULL CONFIG SECTIONS
 #config rule