233 lines
5.4 KiB
Plaintext
233 lines
5.4 KiB
Plaintext
config defaults
|
|
#temp disable syn_flood proctect.
|
|
option syn_flood 0
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
option drop_invalid 1
|
|
# Uncomment this line to disable ipv6 rules
|
|
option disable_ipv6 1
|
|
|
|
config zone
|
|
option name lan
|
|
list network 'lan'
|
|
option network 'lan'
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
|
|
config zone
|
|
option name wan
|
|
list network 'wan'
|
|
option network 'wan'
|
|
option input REJECT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
option masq 1
|
|
option mtu_fix 1
|
|
|
|
config forwarding
|
|
option src lan
|
|
option dest wan
|
|
|
|
# We need to accept udp packets on port 68,
|
|
# see https://dev.openwrt.org/ticket/4108
|
|
config rule
|
|
option name Allow-DHCP-Renew
|
|
option src wan
|
|
option proto udp
|
|
option dest_port 68
|
|
option target ACCEPT
|
|
option family ipv4
|
|
|
|
# Allow IPv4 ping
|
|
config rule
|
|
option name Allow-Ping
|
|
option src wan
|
|
option proto icmp
|
|
option icmp_type echo-request
|
|
option family ipv4
|
|
option target ACCEPT
|
|
|
|
# Allow DHCPv6 replies
|
|
# see https://dev.openwrt.org/ticket/10381
|
|
config rule
|
|
option name Allow-DHCPv6
|
|
option src wan
|
|
option proto udp
|
|
option src_ip fe80::/10
|
|
option src_port 547
|
|
option dest_ip fe80::/10
|
|
option dest_port 546
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# Allow essential incoming IPv6 ICMP traffic
|
|
config rule
|
|
option name Allow-ICMPv6-Input
|
|
option src wan
|
|
option proto icmp
|
|
list icmp_type echo-request
|
|
list icmp_type echo-reply
|
|
list icmp_type destination-unreachable
|
|
list icmp_type packet-too-big
|
|
list icmp_type time-exceeded
|
|
list icmp_type bad-header
|
|
list icmp_type unknown-header-type
|
|
list icmp_type router-solicitation
|
|
list icmp_type neighbour-solicitation
|
|
list icmp_type router-advertisement
|
|
list icmp_type neighbour-advertisement
|
|
option limit 1000/sec
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# Allow essential forwarded IPv6 ICMP traffic
|
|
config rule
|
|
option name Allow-ICMPv6-Forward
|
|
option src wan
|
|
option dest *
|
|
option proto icmp
|
|
list icmp_type echo-request
|
|
list icmp_type echo-reply
|
|
list icmp_type destination-unreachable
|
|
list icmp_type packet-too-big
|
|
list icmp_type time-exceeded
|
|
list icmp_type bad-header
|
|
list icmp_type unknown-header-type
|
|
option limit 1000/sec
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# include a file with users custom iptables rules
|
|
#
|
|
#nat
|
|
config include 'webinitrdr'
|
|
option path '/lib/firewall.sysapi.loader webinitrdr'
|
|
option reload "1"
|
|
option enabled "1"
|
|
|
|
#nat
|
|
config include 'dnsmiwifi'
|
|
option path '/lib/firewall.sysapi.loader dnsmiwifi'
|
|
option reload "1"
|
|
option enabled "1"
|
|
|
|
config include 'macfilter'
|
|
option path '/lib/firewall.sysapi.loader macfilter'
|
|
option reload "1"
|
|
option enabled "1"
|
|
|
|
config include 'miqos'
|
|
option path '/lib/firewall.sysapi.loader miqos'
|
|
option reload "1"
|
|
|
|
config include 'turbo'
|
|
option path '/lib/firewall.sysapi.loader turbo'
|
|
option reload "1"
|
|
option enabled "1"
|
|
|
|
config include 'xqfp'
|
|
option path '/lib/firewall.sysapi.loader xqfp'
|
|
option reload "1"
|
|
|
|
config include 'firewalluser'
|
|
option path /etc/firewall.user
|
|
option reload 1
|
|
|
|
config include 'dmz_bypass_ctf'
|
|
option path '/lib/firewall.sysapi.loader dmz_bypass_ctf'
|
|
option reload '1'
|
|
|
|
config include 'rr_rule'
|
|
option path '/lib/firewall/rr.load reload'
|
|
option reload '1'
|
|
|
|
config rule 'xunleiwantcpports'
|
|
option name 'xunlei wan accept tcp port 1080 4662 2080 2062'
|
|
option src 'wan'
|
|
option dest_port '1080 4662 2080 2062'
|
|
option proto 'tcp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'xunleiwanudpports'
|
|
option name 'xunlei wan accept udp port 4661 3027 888 666 2037 2061 2048 2066'
|
|
option src 'wan'
|
|
option dest_port '4661 3027 888 666 2037 2061 2048 2066'
|
|
option proto 'udp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'guest_8999'
|
|
option name 'Hello wifi 8999'
|
|
option src 'guest'
|
|
option proto 'tcp'
|
|
option dest_port '8999'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'guest_8300'
|
|
option name 'Hello wifi 8300'
|
|
option src 'guest'
|
|
option proto 'tcp'
|
|
option dest_port '8300'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'guest_7080'
|
|
option name 'Hello wifi 7080'
|
|
option src 'guest'
|
|
option proto 'tcp'
|
|
option dest_port '7080'
|
|
option target 'ACCEPT'
|
|
|
|
config zone 'ready_zone'
|
|
option name 'ready'
|
|
list network 'ready'
|
|
option input 'DROP'
|
|
option forward 'DROP'
|
|
option output 'DROP'
|
|
|
|
config rule 'ready_dhcp'
|
|
option name 'DHCP for ready'
|
|
option src 'ready'
|
|
option src_port '67-68'
|
|
option dest_port '67-68'
|
|
option proto 'udp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'ready_dhcp_out'
|
|
option name 'DHCP for ready'
|
|
option dest 'ready'
|
|
option src_port '67-68'
|
|
option dest_port '67-68'
|
|
option proto 'udp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'ready_tbus_in'
|
|
option name 'tbus for ready'
|
|
option src 'ready'
|
|
option dest_port '784'
|
|
option proto 'tcp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule 'ready_tbus_out'
|
|
option name 'tbus for ready'
|
|
option src 'ready'
|
|
option src_port '784'
|
|
option proto 'tcp'
|
|
option target 'ACCEPT'
|
|
|
|
config redirect 'nxdomain'
|
|
option name 'nxdomain'
|
|
option src 'lan'
|
|
option src_dport '80'
|
|
option src_dip '198.51.100.9' # rfc5735
|
|
option dest_port '8190'
|
|
option proto 'tcp'
|
|
option target DNAT
|
|
|
|
config rule 'ptdownload'
|
|
option name 'ingress port for PT download'
|
|
option src 'wan'
|
|
option dest_port '51413'
|
|
option proto 'tcpudp'
|
|
option target 'ACCEPT'
|