summaryrefslogtreecommitdiffstats
path: root/minikrebs/profiles/wifibridge/customfiles/etc/config/firewall
blob: fa8730af0a1b1aa462720df10972287331cb996e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
config defaults
    option syn_flood    1
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT
# Uncomment this line to disable ipv6 rules
#   option disable_ipv6 1

config zone
    option name     lan
    option network      'lan'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name     wan
    option network      'wan'
    option input        REJECT
    option output       ACCEPT
    option forward      REJECT
    option masq     1
    option mtu_fix      1

config forwarding
    option src      lan
    option dest     wlan

config forwarding
    option src      wlan
    option dest     lan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name     Allow-DHCP-Renew
    option src      wan
    option proto        udp
    option dest_port    68
    option target       ACCEPT
    option family       ipv4

# Allow IPv4 ping
config rule
    option name     Allow-Ping
    option src      wan
    option proto        icmp
    option icmp_type    echo-request
    option family       ipv4
    option target       ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name     Allow-DHCPv6
    option src      wan
    option proto        udp
    option src_ip       fe80::/10
    option src_port     547
    option dest_ip      fe80::/10
    option dest_port    546
    option family       ipv6
    option target       ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Input
    option src      wan
    option proto    icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    list icmp_type      router-solicitation
    list icmp_type      neighbour-solicitation
    list icmp_type      router-advertisement
    list icmp_type      neighbour-advertisement
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Forward
    option src      wan
    option dest     *
    option proto        icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user