summaryrefslogtreecommitdiff
path: root/x86/config/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'x86/config/firewall')
-rw-r--r--x86/config/firewall159
1 files changed, 159 insertions, 0 deletions
diff --git a/x86/config/firewall b/x86/config/firewall
new file mode 100644
index 0000000..8c936ed
--- /dev/null
+++ b/x86/config/firewall
@@ -0,0 +1,159 @@
+config defaults
+ option syn_flood '1'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+
+config zone
+ option name wifi
+ list network 'wifi'
+ option input ACCEPT
+ option output ACCEPT
+ option forward REJECT
+
+config 'forwarding'
+ option 'src' 'wifi'
+ option 'dest' 'wan'
+
+
+config zone
+ option name 'lan'
+ list network 'lan'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'ACCEPT'
+
+config zone
+ option name 'wan'
+ list network 'wan'
+ list network 'wan6'
+ option input 'REJECT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+ option masq '1'
+ option mtu_fix '1'
+
+config forwarding
+ option src 'lan'
+ option dest 'wan'
+
+config rule
+ option name 'Allow-DHCP-Renew'
+ option src 'wan'
+ option proto 'udp'
+ option dest_port '68'
+ option target 'ACCEPT'
+ option family 'ipv4'
+
+config rule
+ option name 'Allow-Ping'
+ option src 'wan'
+ option proto 'icmp'
+ option icmp_type 'echo-request'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-IGMP'
+ option src 'wan'
+ option proto 'igmp'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-DHCPv6'
+ option src 'wan'
+ option proto 'udp'
+ option src_ip 'fc00::/6'
+ option dest_ip 'fc00::/6'
+ option dest_port '546'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-MLD'
+ option src 'wan'
+ option proto 'icmp'
+ option src_ip 'fe80::/10'
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Input'
+ option src 'wan'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ list icmp_type 'router-solicitation'
+ list icmp_type 'neighbour-solicitation'
+ list icmp_type 'router-advertisement'
+ list icmp_type 'neighbour-advertisement'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Forward'
+ option src 'wan'
+ option dest '*'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-IPSec-ESP'
+ option src 'wan'
+ option dest 'lan'
+ option proto 'esp'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ISAKMP'
+ option src 'wan'
+ option dest 'lan'
+ option dest_port '500'
+ option proto 'udp'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Support-UDP-Traceroute'
+ option src 'wan'
+ option dest_port '33434:33689'
+ option proto 'udp'
+ option family 'ipv4'
+ option target 'REJECT'
+ option enabled 'false'
+
+config include
+ option path '/etc/firewall.user'
+
+config rule
+ option name 'Allow SSH'
+ option src 'wan'
+ option target 'ACCEPT'
+ option proto 'tcp'
+ option dest_port '22'
+
+config rule
+ option name 'Allow LuCI'
+ option src 'wan'
+ option target 'ACCEPT'
+ option proto 'tcp'
+ option dest_port '80 443'
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 20:24:48 +0000