package/network/config/firewall/files/firewall.config - T108 - Gitiles

 config defaults
 	option syn_flood	1
 	option input		ACCEPT
 	option output		ACCEPT
 	option forward		REJECT
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1

 config zone
 	option name		lan
 	list   network		'lan'
 	option input		ACCEPT
 	option output		ACCEPT
 	option forward		ACCEPT

 config zone
 	option name		wan
 	list   network		'wan0'
 	list   network		'wan1'
 	list   network		'wan2'
 	list   network		'wan3'
 	list   network		'wan4'
 	list   network		'wan5'
 	list   network		'wan6'
 	list   network		'wan7'
 	list   network		'wan8'
 	list   network		'wan9'
 	list   network		'wan10'
 	list   network		'wan11'
 	list   network		'wan12'
 	list   network		'wan13'
 	list   network		'wan14'
 	list   network		'wan15'
 	list   network		'wan60'
 	list   network		'wan61'
 	list   network		'wan62'
 	list   network		'wan63'
 	list   network		'wan64'
 	list   network		'wan65'
 	list   network		'wan66'
 	list   network		'wan67'
 	list   network		'wan68'
 	list   network		'wan69'
 	list   network		'wan610'
 	list   network		'wan611'
 	list   network		'wan612'
 	list   network		'wan613'
 	list   network		'wan614'
 	list   network		'wan615'
 	list   network		'wlan'
 	list   network		'wlan6'
 	option input		REJECT
 	option output		ACCEPT
 	option forward		REJECT
 	option masq		1
 	option mtu_fix		1

 config forwarding
 	option src		lan
 	option dest		wan

 #IMS needed rules
 config rule
 	option name		Allow-SIP
 	option src		wan
 	option proto		tcpudp
 	option dest_port	5060
 	option target		ACCEPT

 config rule
 	option name		Allow-ESP
 	option src		wan
 	option proto		esp
 	option target		ACCEPT

 config rule
 	option name		Allow-RTP-port-range
 	option src		wan
 	option proto		udp
 	option dest_port	4040:4060
 	option target		ACCEPT

 config rule
 	option name		Allow-ipsec-port-range
 	option src		wan
 	option proto		tcpudp
 	option dest_port	10000:101023
 	option target		ACCEPT

 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
 config rule
 	option name		Allow-DHCP-Renew
 	option src		wan
 	option proto		udp
 	option dest_port	68
 	option target		ACCEPT
 	option family		ipv4

 # Allow IPv4 ping
 config rule
 	option name		Allow-Ping
 	option src		wan
 	option proto		icmp
 	option icmp_type	echo-request
 	option family		ipv4
 	option target		ACCEPT

 config rule
 	option name		Allow-IGMP
 	option src		wan
 	option proto		igmp
 	option family		ipv4
 	option target		ACCEPT

 # Allow DHCPv6 replies
 # see https://github.com/openwrt/openwrt/issues/5066
 config rule
 	option name		Allow-DHCPv6
 	option src		wan
 	option proto		udp
 	option dest_port	546
 	option family		ipv6
 	option target		ACCEPT

 config rule
 	option name		Allow-MLD
 	option src		wan
 	option proto		icmp
 	option src_ip		fe80::/10
 	list icmp_type		'130/0'
 	list icmp_type		'131/0'
 	list icmp_type		'132/0'
 	list icmp_type		'143/0'
 	option family		ipv6
 	option target		ACCEPT

 # Allow essential incoming IPv6 ICMP traffic
 config rule
 	option name		Allow-ICMPv6-Input
 	option src		wan
 	option proto	icmp
 	list icmp_type		echo-request
 	list icmp_type		echo-reply
 	list icmp_type		destination-unreachable
 	list icmp_type		packet-too-big
 	list icmp_type		time-exceeded
 	list icmp_type		bad-header
 	list icmp_type		unknown-header-type
 	list icmp_type		router-solicitation
 	list icmp_type		neighbour-solicitation
 	list icmp_type		router-advertisement
 	list icmp_type		neighbour-advertisement
 	option limit		1000/sec
 	option family		ipv6
 	option target		ACCEPT

 # Allow essential forwarded IPv6 ICMP traffic
 config rule
 	option name		Allow-ICMPv6-Forward
 	option src		wan
 	option dest		*
 	option proto		icmp
 	list icmp_type		echo-request
 	list icmp_type		echo-reply
 	list icmp_type		destination-unreachable
 	list icmp_type		packet-too-big
 	list icmp_type		time-exceeded
 	list icmp_type		bad-header
 	list icmp_type		unknown-header-type
 	option limit		1000/sec
 	option family		ipv6
 	option target		ACCEPT

 config rule
 	option name		Allow-IPSec-ESP
 	option src		wan
 	option dest		lan
 	option proto		esp
 	option target		ACCEPT

 config rule
 	option name		Allow-ISAKMP
 	option src		wan
 	option dest		lan
 	option dest_port	500
 	option proto		udp
 	option target		ACCEPT

 # allow interoperability with traceroute classic
 # note that traceroute uses a fixed port range, and depends on getting
 # back ICMP Unreachables.  if we're operating in DROP mode, it won't
 # work so we explicitly REJECT packets on these ports.
 config rule
 	option name		Support-UDP-Traceroute
 	option src		wan
 	option dest_port	33434:33689
 	option proto		udp
 	option family		ipv4
 	option target		REJECT
 	option enabled		false

 # include a file with users custom iptables rules
 config include
 	option path /etc/firewall.user


 ### EXAMPLE CONFIG SECTIONS
 # do not allow a specific ip to access wan
 #config rule
 #	option src		lan
 #	option src_ip	192.168.45.2
 #	option dest		wan
 #	option proto	tcp
 #	option target	REJECT

 # block a specific mac on wan
 #config rule
 #	option dest		wan
 #	option src_mac	00:11:22:33:44:66
 #	option target	REJECT

 # block incoming ICMP traffic on a zone
 #config rule
 #	option src		lan
 #	option proto	ICMP
 #	option target	DROP

 # port redirect port coming in on wan to lan
 #config redirect
 #	option src			wan
 #	option src_dport	80
 #	option dest			lan
 #	option dest_ip		192.168.16.235
 #	option dest_port	80
 #	option proto		tcp

 # port redirect of remapped ssh port (22001) on wan
 #config redirect
 #	option src		wan
 #	option src_dport	22001
 #	option dest		lan
 #	option dest_port	22
 #	option proto		tcp

 ### FULL CONFIG SECTIONS
 #config rule
 #	option src		lan
 #	option src_ip	192.168.45.2
 #	option src_mac	00:11:22:33:44:55
 #	option src_port	80
 #	option dest		wan
 #	option dest_ip	194.25.2.129
 #	option dest_port	120
 #	option proto	tcp
 #	option target	REJECT

 #config redirect
 #	option src		lan
 #	option src_ip	192.168.45.2
 #	option src_mac	00:11:22:33:44:55
 #	option src_port		1024
 #	option src_dport	80
 #	option dest_ip	194.25.2.129
 #	option dest_port	120
 #	option proto	tcp
	config defaults
	option syn_flood 1
	option input ACCEPT
	option output ACCEPT
	option forward REJECT
	# Uncomment this line to disable ipv6 rules
	# option disable_ipv6 1

	config zone
	option name lan
	list network 'lan'
	option input ACCEPT
	option output ACCEPT
	option forward ACCEPT

	config zone
	option name wan
	list network 'wan0'
	list network 'wan1'
	list network 'wan2'
	list network 'wan3'
	list network 'wan4'
	list network 'wan5'
	list network 'wan6'
	list network 'wan7'
	list network 'wan8'
	list network 'wan9'
	list network 'wan10'
	list network 'wan11'
	list network 'wan12'
	list network 'wan13'
	list network 'wan14'
	list network 'wan15'
	list network 'wan60'
	list network 'wan61'
	list network 'wan62'
	list network 'wan63'
	list network 'wan64'
	list network 'wan65'
	list network 'wan66'
	list network 'wan67'
	list network 'wan68'
	list network 'wan69'
	list network 'wan610'
	list network 'wan611'
	list network 'wan612'
	list network 'wan613'
	list network 'wan614'
	list network 'wan615'
	list network 'wlan'
	list network 'wlan6'
	option input REJECT
	option output ACCEPT
	option forward REJECT
	option masq 1
	option mtu_fix 1

	config forwarding
	option src lan
	option dest wan

	#IMS needed rules
	config rule
	option name Allow-SIP
	option src wan
	option proto tcpudp
	option dest_port 5060
	option target ACCEPT

	config rule
	option name Allow-ESP
	option src wan
	option proto esp
	option target ACCEPT

	config rule
	option name Allow-RTP-port-range
	option src wan
	option proto udp
	option dest_port 4040:4060
	option target ACCEPT

	config rule
	option name Allow-ipsec-port-range
	option src wan
	option proto tcpudp
	option dest_port 10000:101023
	option target ACCEPT

	# We need to accept udp packets on port 68,
	# see https://dev.openwrt.org/ticket/4108
	config rule
	option name Allow-DHCP-Renew
	option src wan
	option proto udp
	option dest_port 68
	option target ACCEPT
	option family ipv4

	# Allow IPv4 ping
	config rule
	option name Allow-Ping
	option src wan
	option proto icmp
	option icmp_type echo-request
	option family ipv4
	option target ACCEPT

	config rule
	option name Allow-IGMP
	option src wan
	option proto igmp
	option family ipv4
	option target ACCEPT

	# Allow DHCPv6 replies
	# see https://github.com/openwrt/openwrt/issues/5066
	config rule
	option name Allow-DHCPv6
	option src wan
	option proto udp
	option dest_port 546
	option family ipv6
	option target ACCEPT

	config rule
	option name Allow-MLD
	option src wan
	option proto icmp
	option src_ip fe80::/10
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family ipv6
	option target ACCEPT

	# Allow essential incoming IPv6 ICMP traffic
	config rule
	option name Allow-ICMPv6-Input
	option src wan
	option proto icmp
	list icmp_type echo-request
	list icmp_type echo-reply
	list icmp_type destination-unreachable
	list icmp_type packet-too-big
	list icmp_type time-exceeded
	list icmp_type bad-header
	list icmp_type unknown-header-type
	list icmp_type router-solicitation
	list icmp_type neighbour-solicitation
	list icmp_type router-advertisement
	list icmp_type neighbour-advertisement
	option limit 1000/sec
	option family ipv6
	option target ACCEPT

	# Allow essential forwarded IPv6 ICMP traffic
	config rule
	option name Allow-ICMPv6-Forward
	option src wan
	option dest *
	option proto icmp
	list icmp_type echo-request
	list icmp_type echo-reply
	list icmp_type destination-unreachable
	list icmp_type packet-too-big
	list icmp_type time-exceeded
	list icmp_type bad-header
	list icmp_type unknown-header-type
	option limit 1000/sec
	option family ipv6
	option target ACCEPT

	config rule
	option name Allow-IPSec-ESP
	option src wan
	option dest lan
	option proto esp
	option target ACCEPT

	config rule
	option name Allow-ISAKMP
	option src wan
	option dest lan
	option dest_port 500
	option proto udp
	option target ACCEPT

	# allow interoperability with traceroute classic
	# note that traceroute uses a fixed port range, and depends on getting
	# back ICMP Unreachables. if we're operating in DROP mode, it won't
	# work so we explicitly REJECT packets on these ports.
	config rule
	option name Support-UDP-Traceroute
	option src wan
	option dest_port 33434:33689
	option proto udp
	option family ipv4
	option target REJECT
	option enabled false

	# include a file with users custom iptables rules
	config include
	option path /etc/firewall.user


	### EXAMPLE CONFIG SECTIONS
	# do not allow a specific ip to access wan
	#config rule
	# option src lan
	# option src_ip 192.168.45.2
	# option dest wan
	# option proto tcp
	# option target REJECT

	# block a specific mac on wan
	#config rule
	# option dest wan
	# option src_mac 00:11:22:33:44:66
	# option target REJECT

	# block incoming ICMP traffic on a zone
	#config rule
	# option src lan
	# option proto ICMP
	# option target DROP

	# port redirect port coming in on wan to lan
	#config redirect
	# option src wan
	# option src_dport 80
	# option dest lan
	# option dest_ip 192.168.16.235
	# option dest_port 80
	# option proto tcp

	# port redirect of remapped ssh port (22001) on wan
	#config redirect
	# option src wan
	# option src_dport 22001
	# option dest lan
	# option dest_port 22
	# option proto tcp

	### FULL CONFIG SECTIONS
	#config rule
	# option src lan
	# option src_ip 192.168.45.2
	# option src_mac 00:11:22:33:44:55
	# option src_port 80
	# option dest wan
	# option dest_ip 194.25.2.129
	# option dest_port 120
	# option proto tcp
	# option target REJECT

	#config redirect
	# option src lan
	# option src_ip 192.168.45.2
	# option src_mac 00:11:22:33:44:55
	# option src_port 1024
	# option src_dport 80
	# option dest_ip 194.25.2.129
	# option dest_port 120
	# option proto tcp