1 config defaults 2 option syn_flood 1 3 option input REJECT 4 option output ACCEPT 5 option forward REJECT 6 # Uncomment this line to disable ipv6 rules 7 # option disable_ipv6 1 8 9 config zone 10 option name lan 11 list network 'lan' 12 option input ACCEPT 13 option output ACCEPT 14 option forward ACCEPT 15 16 config zone 17 option name wan 18 list network 'wan' 19 list network 'wan6' 20 option input REJECT 21 option output ACCEPT 22 option forward REJECT 23 option masq 1 24 option mtu_fix 1 25 26 config forwarding 27 option src lan 28 option dest wan 29 30 # We need to accept udp packets on port 68, 31 # see https://dev.openwrt.org/ticket/4108 32 config rule 33 option name Allow-DHCP-Renew 34 option src wan 35 option proto udp 36 option dest_port 68 37 option target ACCEPT 38 option family ipv4 39 40 # Allow IPv4 ping 41 config rule 42 option name Allow-Ping 43 option src wan 44 option proto icmp 45 option icmp_type echo-request 46 option family ipv4 47 option target ACCEPT 48 49 config rule 50 option name Allow-IGMP 51 option src wan 52 option proto igmp 53 option family ipv4 54 option target ACCEPT 55 56 # Allow DHCPv6 replies 57 # see https://github.com/openwrt/openwrt/issues/5066 58 config rule 59 option name Allow-DHCPv6 60 option src wan 61 option proto udp 62 option dest_port 546 63 option family ipv6 64 option target ACCEPT 65 66 config rule 67 option name Allow-MLD 68 option src wan 69 option proto icmp 70 option src_ip fe80::/10 71 list icmp_type '130/0' 72 list icmp_type '131/0' 73 list icmp_type '132/0' 74 list icmp_type '143/0' 75 option family ipv6 76 option target ACCEPT 77 78 # Allow essential incoming IPv6 ICMP traffic 79 config rule 80 option name Allow-ICMPv6-Input 81 option src wan 82 option proto icmp 83 list icmp_type echo-request 84 list icmp_type echo-reply 85 list icmp_type destination-unreachable 86 list icmp_type packet-too-big 87 list icmp_type time-exceeded 88 list icmp_type bad-header 89 list icmp_type unknown-header-type 90 list icmp_type router-solicitation 91 list icmp_type neighbour-solicitation 92 list icmp_type router-advertisement 93 list icmp_type neighbour-advertisement 94 option limit 1000/sec 95 option family ipv6 96 option target ACCEPT 97 98 # Allow essential forwarded IPv6 ICMP traffic 99 config rule 100 option name Allow-ICMPv6-Forward 101 option src wan 102 option dest * 103 option proto icmp 104 list icmp_type echo-request 105 list icmp_type echo-reply 106 list icmp_type destination-unreachable 107 list icmp_type packet-too-big 108 list icmp_type time-exceeded 109 list icmp_type bad-header 110 list icmp_type unknown-header-type 111 option limit 1000/sec 112 option family ipv6 113 option target ACCEPT 114 115 config rule 116 option name Allow-IPSec-ESP 117 option src wan 118 option dest lan 119 option proto esp 120 option target ACCEPT 121 122 config rule 123 option name Allow-ISAKMP 124 option src wan 125 option dest lan 126 option dest_port 500 127 option proto udp 128 option target ACCEPT 129 130 131 ### EXAMPLE CONFIG SECTIONS 132 # do not allow a specific ip to access wan 133 #config rule 134 # option src lan 135 # option src_ip 192.168.45.2 136 # option dest wan 137 # option proto tcp 138 # option target REJECT 139 140 # block a specific mac on wan 141 #config rule 142 # option dest wan 143 # option src_mac 00:11:22:33:44:66 144 # option target REJECT 145 146 # block incoming ICMP traffic on a zone 147 #config rule 148 # option src lan 149 # option proto ICMP 150 # option target DROP 151 152 # port redirect port coming in on wan to lan 153 #config redirect 154 # option src wan 155 # option src_dport 80 156 # option dest lan 157 # option dest_ip 192.168.16.235 158 # option dest_port 80 159 # option proto tcp 160 161 # port redirect of remapped ssh port (22001) on wan 162 #config redirect 163 # option src wan 164 # option src_dport 22001 165 # option dest lan 166 # option dest_port 22 167 # option proto tcp 168 169 ### FULL CONFIG SECTIONS 170 #config rule 171 # option src lan 172 # option src_ip 192.168.45.2 173 # option src_mac 00:11:22:33:44:55 174 # option src_port 80 175 # option dest wan 176 # option dest_ip 194.25.2.129 177 # option dest_port 120 178 # option proto tcp 179 # option target REJECT 180 181 #config redirect 182 # option src lan 183 # option src_ip 192.168.45.2 184 # option src_mac 00:11:22:33:44:55 185 # option src_port 1024 186 # option src_dport 80 187 # option dest_ip 194.25.2.129 188 # option dest_port 120 189 # option proto tcp
This page was automatically generated by LXR 0.3.1. • OpenWrt