projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
firewall: comply with REC-22, REC-24 of RFC 6092
[openwrt/openwrt.git] / package / network / config / firewall / files / firewall.config
1 config defaults
2 option syn_flood 1
3 option input ACCEPT
4 option output ACCEPT
5 option forward REJECT
6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
8
9 config zone
10 option name lan
11 list network 'lan'
12 option input ACCEPT
13 option output ACCEPT
14 option forward ACCEPT
15
16 config zone
17 option name wan
18 list network 'wan'
19 list network 'wan6'
20 option input REJECT
21 option output ACCEPT
22 option forward REJECT
23 option masq 1
24 option mtu_fix 1
25
26 config forwarding
27 option src lan
28 option dest wan
29
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
32 config rule
33 option name Allow-DHCP-Renew
34 option src wan
35 option proto udp
36 option dest_port 68
37 option target ACCEPT
38 option family ipv4
39
40 # Allow IPv4 ping
41 config rule
42 option name Allow-Ping
43 option src wan
44 option proto icmp
45 option icmp_type echo-request
46 option family ipv4
47 option target ACCEPT
48
49 config rule
50 option name Allow-IGMP
51 option src wan
52 option proto igmp
53 option family ipv4
54 option target ACCEPT
55
56 # Allow DHCPv6 replies
57 # see https://dev.openwrt.org/ticket/10381
58 config rule
59 option name Allow-DHCPv6
60 option src wan
61 option proto udp
62 option src_ip fe80::/10
63 option src_port 547
64 option dest_ip fe80::/10
65 option dest_port 546
66 option family ipv6
67 option target ACCEPT
68
69 config rule
70 option name Allow-MLD
71 option src wan
72 option proto icmp
73 option src_ip fe80::/10
74 list icmp_type '130/0'
75 list icmp_type '131/0'
76 list icmp_type '132/0'
77 list icmp_type '143/0'
78 option family ipv6
79 option target ACCEPT
80
81 # Allow essential incoming IPv6 ICMP traffic
82 config rule
83 option name Allow-ICMPv6-Input
84 option src wan
85 option proto icmp
86 list icmp_type echo-request
87 list icmp_type echo-reply
88 list icmp_type destination-unreachable
89 list icmp_type packet-too-big
90 list icmp_type time-exceeded
91 list icmp_type bad-header
92 list icmp_type unknown-header-type
93 list icmp_type router-solicitation
94 list icmp_type neighbour-solicitation
95 list icmp_type router-advertisement
96 list icmp_type neighbour-advertisement
97 option limit 1000/sec
98 option family ipv6
99 option target ACCEPT
100
101 # Allow essential forwarded IPv6 ICMP traffic
102 config rule
103 option name Allow-ICMPv6-Forward
104 option src wan
105 option dest *
106 option proto icmp
107 list icmp_type echo-request
108 list icmp_type echo-reply
109 list icmp_type destination-unreachable
110 list icmp_type packet-too-big
111 list icmp_type time-exceeded
112 list icmp_type bad-header
113 list icmp_type unknown-header-type
114 option limit 1000/sec
115 option family ipv6
116 option target ACCEPT
117
118 # include a file with users custom iptables rules
119 config include
120 option path /etc/firewall.user
121
122
123 ### EXAMPLE CONFIG SECTIONS
124 # do not allow a specific ip to access wan
125 #config rule
126 # option src lan
127 # option src_ip 192.168.45.2
128 # option dest wan
129 # option proto tcp
130 # option target REJECT
131
132 # block a specific mac on wan
133 #config rule
134 # option dest wan
135 # option src_mac 00:11:22:33:44:66
136 # option target REJECT
137
138 # block incoming ICMP traffic on a zone
139 #config rule
140 # option src lan
141 # option proto ICMP
142 # option target DROP
143
144 # port redirect port coming in on wan to lan
145 #config redirect
146 # option src wan
147 # option src_dport 80
148 # option dest lan
149 # option dest_ip 192.168.16.235
150 # option dest_port 80
151 # option proto tcp
152
153 # port redirect of remapped ssh port (22001) on wan
154 #config redirect
155 # option src wan
156 # option src_dport 22001
157 # option dest lan
158 # option dest_port 22
159 # option proto tcp
160
161 # allow IPsec/ESP and ISAKMP passthrough
162 config rule
163 option src wan
164 option dest lan
165 option protocol esp
166 option target ACCEPT
167
168 config rule
169 option src wan
170 option dest lan
171 option dest_port 500
172 option proto udp
173 option target ACCEPT
174
175 ### FULL CONFIG SECTIONS
176 #config rule
177 # option src lan
178 # option src_ip 192.168.45.2
179 # option src_mac 00:11:22:33:44:55
180 # option src_port 80
181 # option dest wan
182 # option dest_ip 194.25.2.129
183 # option dest_port 120
184 # option proto tcp
185 # option target REJECT
186
187 #config redirect
188 # option src lan
189 # option src_ip 192.168.45.2
190 # option src_mac 00:11:22:33:44:55
191 # option src_port 1024
192 # option src_dport 80
193 # option dest_ip 194.25.2.129
194 # option dest_port 120
195 # option proto tcp
OpenWrt Source Repository