From ac6203f3fbf9381c1ffc0927b5dce3bb6323183c Mon Sep 17 00:00:00 2001
From: Bart Van Der Meerssche <bart.vandermeerssche@flukso.net>
Date: Wed, 11 May 2011 23:16:53 +0200
Subject: [PATCH] [openwrt] punch holes in the wan firewall zone for dhcp,
 avahi, ping and flukso rest api

---
 mote/v2/openwrt/files/etc/config/firewall | 146 +++++++++++++---------
 1 file changed, 86 insertions(+), 60 deletions(-)

diff --git a/mote/v2/openwrt/files/etc/config/firewall b/mote/v2/openwrt/files/etc/config/firewall
index 60f5f27..17190c7 100644
--- a/mote/v2/openwrt/files/etc/config/firewall
+++ b/mote/v2/openwrt/files/etc/config/firewall
@@ -1,87 +1,113 @@
 config defaults
-        option syn_flood        1
-        option input            ACCEPT
-        option output           ACCEPT
-        option forward          REJECT
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT 
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
 
 config zone
-        option name             lan
-        option input    ACCEPT
-        option output   ACCEPT
-        option forward  REJECT
+	option name		lan
+	option input	ACCEPT 
+	option output	ACCEPT 
+	option forward	REJECT
 
 config zone
-        option name             wan
-        option input    REJECT
-        option output   ACCEPT
-        option forward  REJECT
-        option masq             1
+	option name		wan
+	option input	REJECT
+	option output	ACCEPT 
+	option forward	REJECT
+	option masq		1 
+	option mtu_fix	1
 
-config forwarding
-        option src      lan
-        option dest     wan
+config forwarding 
+	option src      lan
+	option dest     wan
 
-## Enable this option if you encounter any MTU problems
-## e.g. some websites work, others do not, submitting
-## forms causes problems, ...
-#       option mtu_fix  1
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family	ipv4
+
+#Allow ping
+config rule
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option target		ACCEPT
+
+#Allow access to local REST API on the wan itf
+config rule
+	option src		wan
+	option proto		tcp
+	option dest_port	8080
+	option target		ACCEPT
+
+#Open up UDP port 5353 on the wan for avahi
+config rule
+	option src		wan
+	option proto		udp
+	option dest_port	5353
+	option target		ACCEPT
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
 
 
 ### EXAMPLE CONFIG SECTIONS
 # do not allow a specific ip to access wan
 #config rule
-#       option src              lan
-#       option src_ip   192.168.45.2
-#       option dest             wan
-#       option proto    tcp
-#       option target   REJECT
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT 
 
 # block a specific mac on wan
 #config rule
-#       option dest             wan
-#       option src_mac  00:11:22:33:44:66
-#       option target   REJECT
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT 
 
 # block incoming ICMP traffic on a zone
 #config rule
-#       option src              lan
-#       option proto    ICMP
-#       option target   DROP
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
 
 # port redirect port coming in on wan to lan
 #config redirect
-#       option src                      wan
-#       option src_dport        80
-#       option dest                     lan
-#       option dest_ip          192.168.16.235
-#       option dest_port        80
-#       option proto            tcp
-
-# include a file with users custom iptables rules
-config include
-       option path /etc/firewall.user
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80 
+#	option proto		tcp
 
 
 ### FULL CONFIG SECTIONS
 #config rule
-#       option src              lan
-#       option src              lan
-#       option src_ip   192.168.45.2
-#       option src_mac  00:11:22:33:44:55
-#       option src_port 80
-#       option dest             wan
-#       option dest_ip  194.25.2.129
-#       option dest_port        120
-#       option proto    tcp
-#       option target   REJECT
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT 
 
 #config redirect
-#       option src              lan
-#       option src_ip   192.168.45.2
-#       option src_mac  00:11:22:33:44:55
-#       option src_port         1024
-#       option src_dport        80
-#       option dest_ip  194.25.2.129
-#       option dest_port        120
-#       option proto    tcp
-
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp