summaryrefslogtreecommitdiffstats
path: root/data/configi/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'data/configi/firewall')
-rw-r--r--data/configi/firewall177
1 files changed, 177 insertions, 0 deletions
diff --git a/data/configi/firewall b/data/configi/firewall
new file mode 100644
index 0000000..7f6cbc3
--- /dev/null
+++ b/data/configi/firewall
@@ -0,0 +1,177 @@
1config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6# Uncomment this line to disable ipv6 rules
7 option disable_ipv6 1
8
9config zone
10 option name lan
11 option network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward REJECT
15
16config zone
17 option name wan
18 option network 'wan'
19 option input REJECT
20 option output ACCEPT
21 option forward REJECT
22 option masq 1
23 option mtu_fix 1
24
25config forwarding
26 option src lan
27 option dest wan
28
29# We need to accept udp packets on port 68,
30# see https://dev.openwrt.org/ticket/4108
31config rule
32 option name Allow-DHCP-Renew
33 option src wan
34 option proto udp
35 option dest_port 68
36 option target ACCEPT
37 option family ipv4
38
39# Allow IPv4 ping
40config rule
41 option name Allow-Ping
42 option src wan
43 option proto icmp
44 option icmp_type echo-request
45 option family ipv4
46 option target ACCEPT
47
48# Allow DHCPv6 replies
49# see https://dev.openwrt.org/ticket/10381
50config rule
51 option name Allow-DHCPv6
52 option src wan
53 option proto udp
54 option src_ip fe80::/10
55 option src_port 547
56 option dest_ip fe80::/10
57 option dest_port 546
58 option family ipv6
59 option target ACCEPT
60
61# Allow essential incoming IPv6 ICMP traffic
62config rule
63 option name Allow-ICMPv6-Input
64 option src wan
65 option proto icmp
66 list icmp_type echo-request
67 list icmp_type echo-reply
68 list icmp_type destination-unreachable
69 list icmp_type packet-too-big
70 list icmp_type time-exceeded
71 list icmp_type bad-header
72 list icmp_type unknown-header-type
73 list icmp_type router-solicitation
74 list icmp_type neighbour-solicitation
75 list icmp_type router-advertisement
76 list icmp_type neighbour-advertisement
77 option limit 1000/sec
78 option family ipv6
79 option target ACCEPT
80
81# Allow essential forwarded IPv6 ICMP traffic
82config rule
83 option name Allow-ICMPv6-Forward
84 option src wan
85 option dest *
86 option proto icmp
87 list icmp_type echo-request
88 list icmp_type echo-reply
89 list icmp_type destination-unreachable
90 list icmp_type packet-too-big
91 list icmp_type time-exceeded
92 list icmp_type bad-header
93 list icmp_type unknown-header-type
94 option limit 1000/sec
95 option family ipv6
96 option target ACCEPT
97
98# include a file with users custom iptables rules
99config include
100 option path /etc/firewall.user
101
102
103### EXAMPLE CONFIG SECTIONS
104# do not allow a specific ip to access wan
105#config rule
106# option src lan
107# option src_ip 192.168.45.2
108# option dest wan
109# option proto tcp
110# option target REJECT
111
112# block a specific mac on wan
113#config rule
114# option dest wan
115# option src_mac 00:11:22:33:44:66
116# option target REJECT
117
118# block incoming ICMP traffic on a zone
119#config rule
120# option src lan
121# option proto ICMP
122# option target DROP
123
124# port redirect port coming in on wan to lan
125#config redirect
126# option src wan
127# option src_dport 80
128# option dest lan
129# option dest_ip 192.168.16.235
130# option dest_port 80
131# option proto tcp
132
133# port redirect of remapped ssh port (22001) on wan
134#config redirect
135# option src wan
136# option src_dport 22001
137# option dest lan
138# option dest_port 22
139# option proto tcp
140
141# allow IPsec/ESP and ISAKMP passthrough
142#config rule
143# option src wan
144# option dest lan
145# option protocol esp
146# option target ACCEPT
147
148#config rule
149# option src wan
150# option dest lan
151# option src_port 500
152# option dest_port 500
153# option proto udp
154# option target ACCEPT
155
156### FULL CONFIG SECTIONS
157#config rule
158# option src lan
159# option src_ip 192.168.45.2
160# option src_mac 00:11:22:33:44:55
161# option src_port 80
162# option dest wan
163# option dest_ip 194.25.2.129
164# option dest_port 120
165# option proto tcp
166# option target REJECT
167
168#config redirect
169# option src lan
170# option src_ip 192.168.45.2
171# option src_mac 00:11:22:33:44:55
172# option src_port 1024
173# option src_dport 80
174# option dest_ip 194.25.2.129
175# option dest_port 120
176# option proto tcp
177