diff options
Diffstat (limited to 'data/configi/firewall')
-rw-r--r-- | data/configi/firewall | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/data/configi/firewall b/data/configi/firewall new file mode 100644 index 0000000..7f6cbc3 --- /dev/null +++ b/data/configi/firewall | |||
@@ -0,0 +1,177 @@ | |||
1 | config defaults | ||
2 | option syn_flood 1 | ||
3 | option input ACCEPT | ||
4 | option output ACCEPT | ||
5 | option forward REJECT | ||
6 | # Uncomment this line to disable ipv6 rules | ||
7 | option disable_ipv6 1 | ||
8 | |||
9 | config zone | ||
10 | option name lan | ||
11 | option network 'lan' | ||
12 | option input ACCEPT | ||
13 | option output ACCEPT | ||
14 | option forward REJECT | ||
15 | |||
16 | config zone | ||
17 | option name wan | ||
18 | option network 'wan' | ||
19 | option input REJECT | ||
20 | option output ACCEPT | ||
21 | option forward REJECT | ||
22 | option masq 1 | ||
23 | option mtu_fix 1 | ||
24 | |||
25 | config forwarding | ||
26 | option src lan | ||
27 | option dest wan | ||
28 | |||
29 | # We need to accept udp packets on port 68, | ||
30 | # see https://dev.openwrt.org/ticket/4108 | ||
31 | config rule | ||
32 | option name Allow-DHCP-Renew | ||
33 | option src wan | ||
34 | option proto udp | ||
35 | option dest_port 68 | ||
36 | option target ACCEPT | ||
37 | option family ipv4 | ||
38 | |||
39 | # Allow IPv4 ping | ||
40 | config rule | ||
41 | option name Allow-Ping | ||
42 | option src wan | ||
43 | option proto icmp | ||
44 | option icmp_type echo-request | ||
45 | option family ipv4 | ||
46 | option target ACCEPT | ||
47 | |||
48 | # Allow DHCPv6 replies | ||
49 | # see https://dev.openwrt.org/ticket/10381 | ||
50 | config rule | ||
51 | option name Allow-DHCPv6 | ||
52 | option src wan | ||
53 | option proto udp | ||
54 | option src_ip fe80::/10 | ||
55 | option src_port 547 | ||
56 | option dest_ip fe80::/10 | ||
57 | option dest_port 546 | ||
58 | option family ipv6 | ||
59 | option target ACCEPT | ||
60 | |||
61 | # Allow essential incoming IPv6 ICMP traffic | ||
62 | config rule | ||
63 | option name Allow-ICMPv6-Input | ||
64 | option src wan | ||
65 | option proto icmp | ||
66 | list icmp_type echo-request | ||
67 | list icmp_type echo-reply | ||
68 | list icmp_type destination-unreachable | ||
69 | list icmp_type packet-too-big | ||
70 | list icmp_type time-exceeded | ||
71 | list icmp_type bad-header | ||
72 | list icmp_type unknown-header-type | ||
73 | list icmp_type router-solicitation | ||
74 | list icmp_type neighbour-solicitation | ||
75 | list icmp_type router-advertisement | ||
76 | list icmp_type neighbour-advertisement | ||
77 | option limit 1000/sec | ||
78 | option family ipv6 | ||
79 | option target ACCEPT | ||
80 | |||
81 | # Allow essential forwarded IPv6 ICMP traffic | ||
82 | config rule | ||
83 | option name Allow-ICMPv6-Forward | ||
84 | option src wan | ||
85 | option dest * | ||
86 | option proto icmp | ||
87 | list icmp_type echo-request | ||
88 | list icmp_type echo-reply | ||
89 | list icmp_type destination-unreachable | ||
90 | list icmp_type packet-too-big | ||
91 | list icmp_type time-exceeded | ||
92 | list icmp_type bad-header | ||
93 | list icmp_type unknown-header-type | ||
94 | option limit 1000/sec | ||
95 | option family ipv6 | ||
96 | option target ACCEPT | ||
97 | |||
98 | # include a file with users custom iptables rules | ||
99 | config include | ||
100 | option path /etc/firewall.user | ||
101 | |||
102 | |||
103 | ### EXAMPLE CONFIG SECTIONS | ||
104 | # do not allow a specific ip to access wan | ||
105 | #config rule | ||
106 | # option src lan | ||
107 | # option src_ip 192.168.45.2 | ||
108 | # option dest wan | ||
109 | # option proto tcp | ||
110 | # option target REJECT | ||
111 | |||
112 | # block a specific mac on wan | ||
113 | #config rule | ||
114 | # option dest wan | ||
115 | # option src_mac 00:11:22:33:44:66 | ||
116 | # option target REJECT | ||
117 | |||
118 | # block incoming ICMP traffic on a zone | ||
119 | #config rule | ||
120 | # option src lan | ||
121 | # option proto ICMP | ||
122 | # option target DROP | ||
123 | |||
124 | # port redirect port coming in on wan to lan | ||
125 | #config redirect | ||
126 | # option src wan | ||
127 | # option src_dport 80 | ||
128 | # option dest lan | ||
129 | # option dest_ip 192.168.16.235 | ||
130 | # option dest_port 80 | ||
131 | # option proto tcp | ||
132 | |||
133 | # port redirect of remapped ssh port (22001) on wan | ||
134 | #config redirect | ||
135 | # option src wan | ||
136 | # option src_dport 22001 | ||
137 | # option dest lan | ||
138 | # option dest_port 22 | ||
139 | # option proto tcp | ||
140 | |||
141 | # allow IPsec/ESP and ISAKMP passthrough | ||
142 | #config rule | ||
143 | # option src wan | ||
144 | # option dest lan | ||
145 | # option protocol esp | ||
146 | # option target ACCEPT | ||
147 | |||
148 | #config rule | ||
149 | # option src wan | ||
150 | # option dest lan | ||
151 | # option src_port 500 | ||
152 | # option dest_port 500 | ||
153 | # option proto udp | ||
154 | # option target ACCEPT | ||
155 | |||
156 | ### FULL CONFIG SECTIONS | ||
157 | #config rule | ||
158 | # option src lan | ||
159 | # option src_ip 192.168.45.2 | ||
160 | # option src_mac 00:11:22:33:44:55 | ||
161 | # option src_port 80 | ||
162 | # option dest wan | ||
163 | # option dest_ip 194.25.2.129 | ||
164 | # option dest_port 120 | ||
165 | # option proto tcp | ||
166 | # option target REJECT | ||
167 | |||
168 | #config redirect | ||
169 | # option src lan | ||
170 | # option src_ip 192.168.45.2 | ||
171 | # option src_mac 00:11:22:33:44:55 | ||
172 | # option src_port 1024 | ||
173 | # option src_dport 80 | ||
174 | # option dest_ip 194.25.2.129 | ||
175 | # option dest_port 120 | ||
176 | # option proto tcp | ||
177 | |||