summaryrefslogtreecommitdiff
path: root/ext/openwrt/turret/files/etc/config/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'ext/openwrt/turret/files/etc/config/firewall')
-rw-r--r--ext/openwrt/turret/files/etc/config/firewall131
1 files changed, 131 insertions, 0 deletions
diff --git a/ext/openwrt/turret/files/etc/config/firewall b/ext/openwrt/turret/files/etc/config/firewall
new file mode 100644
index 0000000..d4f7394
--- /dev/null
+++ b/ext/openwrt/turret/files/etc/config/firewall
@@ -0,0 +1,131 @@
+
+config defaults
+ option syn_flood '1'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+
+config zone
+ option name 'lan'
+ list network 'lan'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'ACCEPT'
+
+config zone
+ option name 'wan'
+ list network 'wan'
+ list network 'wan6'
+ option input 'REJECT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+ option masq '1'
+ option mtu_fix '1'
+
+config forwarding
+ option src 'lan'
+ option dest 'wan'
+
+config rule
+ option name 'Allow-DHCP-Renew'
+ option src 'wan'
+ option proto 'udp'
+ option dest_port '68'
+ option target 'ACCEPT'
+ option family 'ipv4'
+
+config rule
+ option name 'Allow-Ping'
+ option src 'wan'
+ option proto 'icmp'
+ option icmp_type 'echo-request'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-IGMP'
+ option src 'wan'
+ option proto 'igmp'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-DHCPv6'
+ option src 'wan'
+ option proto 'udp'
+ option dest_port '546'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-MLD'
+ option src 'wan'
+ option proto 'icmp'
+ option src_ip 'fe80::/10'
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Input'
+ option src 'wan'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ list icmp_type 'router-solicitation'
+ list icmp_type 'neighbour-solicitation'
+ list icmp_type 'router-advertisement'
+ list icmp_type 'neighbour-advertisement'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Forward'
+ option src 'wan'
+ option dest '*'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-IPSec-ESP'
+ option src 'wan'
+ option dest 'lan'
+ option proto 'esp'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ISAKMP'
+ option src 'wan'
+ option dest 'lan'
+ option dest_port '500'
+ option proto 'udp'
+ option target 'ACCEPT'
+
+config redirect
+ option dest 'lan'
+ option target 'DNAT'
+ option name 'tf2'
+ option src 'wan'
+ option src_dport '37015'
+ option dest_ip '192.168.1.157'
+ option dest_port '37015'
+ option enabled '0'
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-07 02:19:44 +0000