6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
50 option name Allow-IGMP
56 # Allow DHCPv6 replies
57 # see https://github.com/openwrt/openwrt/issues/5066
59 option name Allow-DHCPv6
70 option src_ip fe80::/10
71 list icmp_type '130/0'
72 list icmp_type '131/0'
73 list icmp_type '132/0'
74 list icmp_type '143/0'
78 # Allow essential incoming IPv6 ICMP traffic
80 option name Allow-ICMPv6-Input
83 list icmp_type echo-request
84 list icmp_type echo-reply
85 list icmp_type destination-unreachable
86 list icmp_type packet-too-big
87 list icmp_type time-exceeded
88 list icmp_type bad-header
89 list icmp_type unknown-header-type
90 list icmp_type router-solicitation
91 list icmp_type neighbour-solicitation
92 list icmp_type router-advertisement
93 list icmp_type neighbour-advertisement
98 # Allow essential forwarded IPv6 ICMP traffic
100 option name Allow-ICMPv6-Forward
104 list icmp_type echo-request
105 list icmp_type echo-reply
106 list icmp_type destination-unreachable
107 list icmp_type packet-too-big
108 list icmp_type time-exceeded
109 list icmp_type bad-header
110 list icmp_type unknown-header-type
111 option limit 1000/sec
116 option name Allow-IPSec-ESP
123 option name Allow-ISAKMP
130 # allow interoperability with traceroute classic
131 # note that traceroute uses a fixed port range, and depends on getting
132 # back ICMP Unreachables. if we're operating in DROP mode, it won't
133 # work so we explicitly REJECT packets on these ports.
135 option name Support-UDP-Traceroute
137 option dest_port 33434:33689
143 # include a file with users custom iptables rules
145 option path /etc/firewall.user
148 ### EXAMPLE CONFIG SECTIONS
149 # do not allow a specific ip to access wan
152 # option src_ip 192.168.45.2
155 # option target REJECT
157 # block a specific mac on wan
160 # option src_mac 00:11:22:33:44:66
161 # option target REJECT
163 # block incoming ICMP traffic on a zone
169 # port redirect port coming in on wan to lan
172 # option src_dport 80
174 # option dest_ip 192.168.16.235
175 # option dest_port 80
178 # port redirect of remapped ssh port (22001) on wan
181 # option src_dport 22001
183 # option dest_port 22
186 ### FULL CONFIG SECTIONS
189 # option src_ip 192.168.45.2
190 # option src_mac 00:11:22:33:44:55
193 # option dest_ip 194.25.2.129
194 # option dest_port 120
196 # option target REJECT
200 # option src_ip 192.168.45.2
201 # option src_mac 00:11:22:33:44:55
202 # option src_port 1024
203 # option src_dport 80
204 # option dest_ip 194.25.2.129
205 # option dest_port 120