X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/cf06be139539bebb2ebbfd955ba582186f88746a..a79b0f5a1ccb2479c01583b70e63644c0c20547c:/package/firewall/files/firewall.config

diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index 7904cedb8..b47823fe2 100644
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -8,21 +8,23 @@ config defaults
 
 config zone
 	option name		lan
-	option input	ACCEPT 
-	option output	ACCEPT 
-	option forward	REJECT
+	option network		'lan'
+	option input		ACCEPT 
+	option output		ACCEPT 
+	option forward		REJECT
 
 config zone
 	option name		wan
-	option input	REJECT
-	option output	ACCEPT 
-	option forward	REJECT
+	option network		'wan'
+	option input		REJECT
+	option output		ACCEPT 
+	option forward		REJECT
 	option masq		1 
-	option mtu_fix	1
+	option mtu_fix		1
 
 config forwarding 
-	option src      lan
-	option dest     wan
+	option src      	lan
+	option dest     	wan
 
 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
@@ -31,14 +33,30 @@ config rule
 	option proto		udp
 	option dest_port	68
 	option target		ACCEPT
-	option family	ipv4
+	option family		ipv4
 
-#Allow ping
+# Allow IPv4 ping
 config rule
-	option src wan
-	option proto icmp
-	option icmp_type echo-request
-	option target ACCEPT
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule                                   
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
 
 # include a file with users custom iptables rules
 config include
@@ -75,6 +93,28 @@ config include
 #	option dest_port	80 
 #	option proto		tcp
 
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option protocol		esp
+#	option target		ACCEPT
+
+#config rule
+#	option src		wan
+#	option dest		lan
+#	option src_port		500
+#	option dest_port	500
+#	option proto		udp
+#	option target		ACCEPT
 
 ### FULL CONFIG SECTIONS
 #config rule