[openwrt] punch holes in the wan firewall zone for dhcp, avahi, ping and flukso rest api
This commit is contained in:
Bart Van Der Meerssche
parent
69d7922dab
commit
ac6203f3fb
|
|
@ -1,87 +1,113 @@
|
||||||
config defaults
|
config defaults
|
||||||
option syn_flood 1
|
option syn_flood 1
|
||||||
option input ACCEPT
|
option input ACCEPT
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
|
# Uncomment this line to disable ipv6 rules
|
||||||
|
# option disable_ipv6 1
|
||||||
|
|
||||||
config zone
|
config zone
|
||||||
option name lan
|
option name lan
|
||||||
option input ACCEPT
|
option input ACCEPT
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
|
|
||||||
config zone
|
config zone
|
||||||
option name wan
|
option name wan
|
||||||
option input REJECT
|
option input REJECT
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
option masq 1
|
option masq 1
|
||||||
|
option mtu_fix 1
|
||||||
|
|
||||||
config forwarding
|
config forwarding
|
||||||
option src lan
|
option src lan
|
||||||
option dest wan
|
option dest wan
|
||||||
|
|
||||||
## Enable this option if you encounter any MTU problems
|
# We need to accept udp packets on port 68,
|
||||||
## e.g. some websites work, others do not, submitting
|
# see https://dev.openwrt.org/ticket/4108
|
||||||
## forms causes problems, ...
|
config rule
|
||||||
# option mtu_fix 1
|
option src wan
|
||||||
|
option proto udp
|
||||||
|
option dest_port 68
|
||||||
|
option target ACCEPT
|
||||||
|
option family ipv4
|
||||||
|
|
||||||
|
#Allow ping
|
||||||
|
config rule
|
||||||
|
option src wan
|
||||||
|
option proto icmp
|
||||||
|
option icmp_type echo-request
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
|
#Allow access to local REST API on the wan itf
|
||||||
|
config rule
|
||||||
|
option src wan
|
||||||
|
option proto tcp
|
||||||
|
option dest_port 8080
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
|
#Open up UDP port 5353 on the wan for avahi
|
||||||
|
config rule
|
||||||
|
option src wan
|
||||||
|
option proto udp
|
||||||
|
option dest_port 5353
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
|
# include a file with users custom iptables rules
|
||||||
|
config include
|
||||||
|
option path /etc/firewall.user
|
||||||
|
|
||||||
|
|
||||||
### EXAMPLE CONFIG SECTIONS
|
### EXAMPLE CONFIG SECTIONS
|
||||||
# do not allow a specific ip to access wan
|
# do not allow a specific ip to access wan
|
||||||
#config rule
|
#config rule
|
||||||
# option src lan
|
# option src lan
|
||||||
# option src_ip 192.168.45.2
|
# option src_ip 192.168.45.2
|
||||||
# option dest wan
|
# option dest wan
|
||||||
# option proto tcp
|
# option proto tcp
|
||||||
# option target REJECT
|
# option target REJECT
|
||||||
|
|
||||||
# block a specific mac on wan
|
# block a specific mac on wan
|
||||||
#config rule
|
#config rule
|
||||||
# option dest wan
|
# option dest wan
|
||||||
# option src_mac 00:11:22:33:44:66
|
# option src_mac 00:11:22:33:44:66
|
||||||
# option target REJECT
|
# option target REJECT
|
||||||
|
|
||||||
# block incoming ICMP traffic on a zone
|
# block incoming ICMP traffic on a zone
|
||||||
#config rule
|
#config rule
|
||||||
# option src lan
|
# option src lan
|
||||||
# option proto ICMP
|
# option proto ICMP
|
||||||
# option target DROP
|
# option target DROP
|
||||||
|
|
||||||
# port redirect port coming in on wan to lan
|
# port redirect port coming in on wan to lan
|
||||||
#config redirect
|
#config redirect
|
||||||
# option src wan
|
# option src wan
|
||||||
# option src_dport 80
|
# option src_dport 80
|
||||||
# option dest lan
|
# option dest lan
|
||||||
# option dest_ip 192.168.16.235
|
# option dest_ip 192.168.16.235
|
||||||
# option dest_port 80
|
# option dest_port 80
|
||||||
# option proto tcp
|
# option proto tcp
|
||||||
|
|
||||||
# include a file with users custom iptables rules
|
|
||||||
config include
|
|
||||||
option path /etc/firewall.user
|
|
||||||
|
|
||||||
|
|
||||||
### FULL CONFIG SECTIONS
|
### FULL CONFIG SECTIONS
|
||||||
#config rule
|
#config rule
|
||||||
# option src lan
|
# option src lan
|
||||||
# option src lan
|
# option src_ip 192.168.45.2
|
||||||
# option src_ip 192.168.45.2
|
# option src_mac 00:11:22:33:44:55
|
||||||
# option src_mac 00:11:22:33:44:55
|
# option src_port 80
|
||||||
# option src_port 80
|
# option dest wan
|
||||||
# option dest wan
|
# option dest_ip 194.25.2.129
|
||||||
# option dest_ip 194.25.2.129
|
# option dest_port 120
|
||||||
# option dest_port 120
|
# option proto tcp
|
||||||
# option proto tcp
|
# option target REJECT
|
||||||
# option target REJECT
|
|
||||||
|
|
||||||
#config redirect
|
#config redirect
|
||||||
# option src lan
|
# option src lan
|
||||||
# option src_ip 192.168.45.2
|
# option src_ip 192.168.45.2
|
||||||
# option src_mac 00:11:22:33:44:55
|
# option src_mac 00:11:22:33:44:55
|
||||||
# option src_port 1024
|
# option src_port 1024
|
||||||
# option src_dport 80
|
# option src_dport 80
|
||||||
# option dest_ip 194.25.2.129
|
# option dest_ip 194.25.2.129
|
||||||
# option dest_port 120
|
# option dest_port 120
|
||||||
# option proto tcp
|
# option proto tcp
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue