minikrebs/profiles/rickroller/customfiles/etc/config/firewall


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name     lan
    option network      'lan'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name     wan
    option network      'wan'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT
    option masq     1
    option mtu_fix      1

config forwarding
    option src      lan
    option dest     wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name     Allow-DHCP-Renew
    option src      wan
    option proto        udp
    option dest_port    68
    option target       ACCEPT
    option family       ipv4

# Allow IPv4 ping
config rule
    option name     Allow-Ping
    option src      wan
    option proto        icmp
    option icmp_type    echo-request
    option family       ipv4
    option target       ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name     Allow-DHCPv6
    option src      wan
    option proto        udp
    option src_ip       fe80::/10
    option src_port     547
    option dest_ip      fe80::/10
    option dest_port    546
    option family       ipv6
    option target       ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Input
    option src      wan
    option proto    icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    list icmp_type      router-solicitation
    list icmp_type      neighbour-solicitation
    list icmp_type      router-advertisement
    list icmp_type      neighbour-advertisement
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Forward
    option src      wan
    option dest     *
    option proto        icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT
    
# does not seem to work for some reason:    
#config redirect
#    option src      lan
#    option proto        tcp
#    option src_dport    80
#    option dest_port    80

config redirect
    option src      lan
    option proto        tcp
    option src_dport    80
    option src_ip           !192.168.23.1
    option dest_port    80
    option dest_ip      192.168.23.1
    option target       DNAT