[openwrt] punch holes in the wan firewall zone for dhcp, avahi, ping and flukso rest api

This commit is contained in:
Bart Van Der Meerssche 2011-05-11 23:16:53 +02:00
parent 69d7922dab
commit ac6203f3fb
1 changed files with 86 additions and 60 deletions

View File

@ -1,87 +1,113 @@
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
option input ACCEPT
option output ACCEPT
option forward REJECT
option name lan
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option name wan
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
option src lan
option dest wan
## Enable this option if you encounter any MTU problems
## e.g. some websites work, others do not, submitting
## forms causes problems, ...
# option mtu_fix 1
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
#Allow ping
config rule
option src wan
option proto icmp
option icmp_type echo-request
option target ACCEPT
#Allow access to local REST API on the wan itf
config rule
option src wan
option proto tcp
option dest_port 8080
option target ACCEPT
#Open up UDP port 5353 on the wan for avahi
config rule
option src wan
option proto udp
option dest_port 5353
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp