OpenWrt – Blame information for rev 2
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | config defaults |
| 2 | option syn_flood 1 |
||
| 3 | option input ACCEPT |
||
| 4 | option output ACCEPT |
||
| 5 | option forward REJECT |
||
| 6 | # Uncomment this line to disable ipv6 rules |
||
| 7 | # option disable_ipv6 1 |
||
| 8 | |||
| 9 | config zone |
||
| 10 | option name lan |
||
| 11 | list network 'lan' |
||
| 12 | option input ACCEPT |
||
| 13 | option output ACCEPT |
||
| 14 | option forward ACCEPT |
||
| 15 | |||
| 16 | config zone |
||
| 17 | option name wan |
||
| 18 | list network 'wan' |
||
| 19 | list network 'wan6' |
||
| 20 | option input REJECT |
||
| 21 | option output ACCEPT |
||
| 22 | option forward REJECT |
||
| 23 | option masq 1 |
||
| 24 | option mtu_fix 1 |
||
| 25 | |||
| 26 | config forwarding |
||
| 27 | option src lan |
||
| 28 | option dest wan |
||
| 29 | |||
| 30 | # We need to accept udp packets on port 68, |
||
| 31 | # see https://dev.openwrt.org/ticket/4108 |
||
| 32 | config rule |
||
| 33 | option name Allow-DHCP-Renew |
||
| 34 | option src wan |
||
| 35 | option proto udp |
||
| 36 | option dest_port 68 |
||
| 37 | option target ACCEPT |
||
| 38 | option family ipv4 |
||
| 39 | |||
| 40 | # Allow IPv4 ping |
||
| 41 | config rule |
||
| 42 | option name Allow-Ping |
||
| 43 | option src wan |
||
| 44 | option proto icmp |
||
| 45 | option icmp_type echo-request |
||
| 46 | option family ipv4 |
||
| 47 | option target ACCEPT |
||
| 48 | |||
| 49 | config rule |
||
| 50 | option name Allow-IGMP |
||
| 51 | option src wan |
||
| 52 | option proto igmp |
||
| 53 | option family ipv4 |
||
| 54 | option target ACCEPT |
||
| 55 | |||
| 56 | # Allow DHCPv6 replies |
||
| 57 | # see https://dev.openwrt.org/ticket/10381 |
||
| 58 | config rule |
||
| 59 | option name Allow-DHCPv6 |
||
| 60 | option src wan |
||
| 61 | option proto udp |
||
| 62 | option src_ip fc00::/6 |
||
| 63 | option dest_ip fc00::/6 |
||
| 64 | option dest_port 546 |
||
| 65 | option family ipv6 |
||
| 66 | option target ACCEPT |
||
| 67 | |||
| 68 | config rule |
||
| 69 | option name Allow-MLD |
||
| 70 | option src wan |
||
| 71 | option proto icmp |
||
| 72 | option src_ip fe80::/10 |
||
| 73 | list icmp_type '130/0' |
||
| 74 | list icmp_type '131/0' |
||
| 75 | list icmp_type '132/0' |
||
| 76 | list icmp_type '143/0' |
||
| 77 | option family ipv6 |
||
| 78 | option target ACCEPT |
||
| 79 | |||
| 80 | # Allow essential incoming IPv6 ICMP traffic |
||
| 81 | config rule |
||
| 82 | option name Allow-ICMPv6-Input |
||
| 83 | option src wan |
||
| 84 | option proto icmp |
||
| 85 | list icmp_type echo-request |
||
| 86 | list icmp_type echo-reply |
||
| 87 | list icmp_type destination-unreachable |
||
| 88 | list icmp_type packet-too-big |
||
| 89 | list icmp_type time-exceeded |
||
| 90 | list icmp_type bad-header |
||
| 91 | list icmp_type unknown-header-type |
||
| 92 | list icmp_type router-solicitation |
||
| 93 | list icmp_type neighbour-solicitation |
||
| 94 | list icmp_type router-advertisement |
||
| 95 | list icmp_type neighbour-advertisement |
||
| 96 | option limit 1000/sec |
||
| 97 | option family ipv6 |
||
| 98 | option target ACCEPT |
||
| 99 | |||
| 100 | # Allow essential forwarded IPv6 ICMP traffic |
||
| 101 | config rule |
||
| 102 | option name Allow-ICMPv6-Forward |
||
| 103 | option src wan |
||
| 104 | option dest * |
||
| 105 | option proto icmp |
||
| 106 | list icmp_type echo-request |
||
| 107 | list icmp_type echo-reply |
||
| 108 | list icmp_type destination-unreachable |
||
| 109 | list icmp_type packet-too-big |
||
| 110 | list icmp_type time-exceeded |
||
| 111 | list icmp_type bad-header |
||
| 112 | list icmp_type unknown-header-type |
||
| 113 | option limit 1000/sec |
||
| 114 | option family ipv6 |
||
| 115 | option target ACCEPT |
||
| 116 | |||
| 117 | config rule |
||
| 118 | option name Allow-IPSec-ESP |
||
| 119 | option src wan |
||
| 120 | option dest lan |
||
| 121 | option proto esp |
||
| 122 | option target ACCEPT |
||
| 123 | |||
| 124 | config rule |
||
| 125 | option name Allow-ISAKMP |
||
| 126 | option src wan |
||
| 127 | option dest lan |
||
| 128 | option dest_port 500 |
||
| 129 | option proto udp |
||
| 130 | option target ACCEPT |
||
| 131 | |||
| 132 | # include a file with users custom iptables rules |
||
| 133 | config include |
||
| 134 | option path /etc/firewall.user |
||
| 135 | |||
| 136 | |||
| 137 | ### EXAMPLE CONFIG SECTIONS |
||
| 138 | # do not allow a specific ip to access wan |
||
| 139 | #config rule |
||
| 140 | # option src lan |
||
| 141 | # option src_ip 192.168.45.2 |
||
| 142 | # option dest wan |
||
| 143 | # option proto tcp |
||
| 144 | # option target REJECT |
||
| 145 | |||
| 146 | # block a specific mac on wan |
||
| 147 | #config rule |
||
| 148 | # option dest wan |
||
| 149 | # option src_mac 00:11:22:33:44:66 |
||
| 150 | # option target REJECT |
||
| 151 | |||
| 152 | # block incoming ICMP traffic on a zone |
||
| 153 | #config rule |
||
| 154 | # option src lan |
||
| 155 | # option proto ICMP |
||
| 156 | # option target DROP |
||
| 157 | |||
| 158 | # port redirect port coming in on wan to lan |
||
| 159 | #config redirect |
||
| 160 | # option src wan |
||
| 161 | # option src_dport 80 |
||
| 162 | # option dest lan |
||
| 163 | # option dest_ip 192.168.16.235 |
||
| 164 | # option dest_port 80 |
||
| 165 | # option proto tcp |
||
| 166 | |||
| 167 | # port redirect of remapped ssh port (22001) on wan |
||
| 168 | #config redirect |
||
| 169 | # option src wan |
||
| 170 | # option src_dport 22001 |
||
| 171 | # option dest lan |
||
| 172 | # option dest_port 22 |
||
| 173 | # option proto tcp |
||
| 174 | |||
| 175 | ### FULL CONFIG SECTIONS |
||
| 176 | #config rule |
||
| 177 | # option src lan |
||
| 178 | # option src_ip 192.168.45.2 |
||
| 179 | # option src_mac 00:11:22:33:44:55 |
||
| 180 | # option src_port 80 |
||
| 181 | # option dest wan |
||
| 182 | # option dest_ip 194.25.2.129 |
||
| 183 | # option dest_port 120 |
||
| 184 | # option proto tcp |
||
| 185 | # option target REJECT |
||
| 186 | |||
| 187 | #config redirect |
||
| 188 | # option src lan |
||
| 189 | # option src_ip 192.168.45.2 |
||
| 190 | # option src_mac 00:11:22:33:44:55 |
||
| 191 | # option src_port 1024 |
||
| 192 | # option src_dport 80 |
||
| 193 | # option dest_ip 194.25.2.129 |
||
| 194 | # option dest_port 120 |
||
| 195 | # option proto tcp |