diff options
Diffstat (limited to 'firewall/files')
-rw-r--r-- | firewall/files/firewall.config | 195 | ||||
-rw-r--r-- | firewall/files/firewall.hotplug | 11 | ||||
-rwxr-xr-x | firewall/files/firewall.init | 61 | ||||
-rw-r--r-- | firewall/files/firewall.user | 7 |
4 files changed, 0 insertions, 274 deletions
diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config deleted file mode 100644 index 8874e98..0000000 --- a/firewall/files/firewall.config +++ /dev/null @@ -1,195 +0,0 @@ -config defaults - option syn_flood 1 - option input ACCEPT - option output ACCEPT - option forward REJECT -# Uncomment this line to disable ipv6 rules -# option disable_ipv6 1 - -config zone - option name lan - list network 'lan' - option input ACCEPT - option output ACCEPT - option forward ACCEPT - -config zone - option name wan - list network 'wan' - list network 'wan6' - option input REJECT - option output ACCEPT - option forward REJECT - option masq 1 - option mtu_fix 1 - -config forwarding - option src lan - option dest wan - -# We need to accept udp packets on port 68, -# see https://dev.openwrt.org/ticket/4108 -config rule - option name Allow-DHCP-Renew - option src wan - option proto udp - option dest_port 68 - option target ACCEPT - option family ipv4 - -# Allow IPv4 ping -config rule - option name Allow-Ping - option src wan - option proto icmp - option icmp_type echo-request - option family ipv4 - option target ACCEPT - -config rule - option name Allow-IGMP - option src wan - option proto igmp - option family ipv4 - option target ACCEPT - -# Allow DHCPv6 replies -# see https://dev.openwrt.org/ticket/10381 -config rule - option name Allow-DHCPv6 - option src wan - option proto udp - option src_ip fc00::/6 - option dest_ip fc00::/6 - option dest_port 546 - option family ipv6 - option target ACCEPT - -config rule - option name Allow-MLD - option src wan - option proto icmp - option src_ip fe80::/10 - list icmp_type '130/0' - list icmp_type '131/0' - list icmp_type '132/0' - list icmp_type '143/0' - option family ipv6 - option target ACCEPT - -# Allow essential incoming IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Input - option src wan - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - list icmp_type router-solicitation - list icmp_type neighbour-solicitation - list icmp_type router-advertisement - list icmp_type neighbour-advertisement - option limit 1000/sec - option family ipv6 - option target ACCEPT - -# Allow essential forwarded IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Forward - option src wan - option dest * - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - option limit 1000/sec - option family ipv6 - option target ACCEPT - -config rule - option name Allow-IPSec-ESP - option src wan - option dest lan - option proto esp - option target ACCEPT - -config rule - option name Allow-ISAKMP - option src wan - option dest lan - option dest_port 500 - option proto udp - option target ACCEPT - -# include a file with users custom iptables rules -config include - option path /etc/firewall.user - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option proto tcp - -# port redirect of remapped ssh port (22001) on wan -#config redirect -# option src wan -# option src_dport 22001 -# option dest lan -# option dest_port 22 -# option proto tcp - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp diff --git a/firewall/files/firewall.hotplug b/firewall/files/firewall.hotplug deleted file mode 100644 index f1eab00..0000000 --- a/firewall/files/firewall.hotplug +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 -[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 - -/etc/init.d/firewall enabled || exit 0 - -fw3 -q network "$INTERFACE" >/dev/null || exit 0 - -logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)" -fw3 -q reload diff --git a/firewall/files/firewall.init b/firewall/files/firewall.init deleted file mode 100755 index ee3ed1a..0000000 --- a/firewall/files/firewall.init +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=19 -USE_PROCD=1 -QUIET="" - -validate_firewall_redirect() -{ - uci_validate_section firewall redirect "${1}" \ - 'proto:or(uinteger, string)' \ - 'src:string' \ - 'src_ip:cidr' \ - 'src_dport:or(port, portrange)' \ - 'dest:string' \ - 'dest_ip:cidr' \ - 'dest_port:or(port, portrange)' \ - 'target:or("SNAT", "DNAT")' -} - -validate_firewall_rule() -{ - uci_validate_section firewall rule "${1}" \ - 'proto:or(uinteger, string)' \ - 'src:string' \ - 'dest:string' \ - 'src_port:or(port, portrange)' \ - 'dest_port:or(port, portrange)' \ - 'target:string' -} - -service_triggers() { - procd_add_reload_trigger firewall - - procd_open_validate - validate_firewall_redirect - validate_firewall_rule - procd_close_validate -} - -restart() { - fw3 restart -} - -start_service() { - fw3 ${QUIET} start -} - -stop_service() { - fw3 flush -} - -reload_service() { - fw3 reload -} - -boot() { - # Be silent on boot, firewall might be started by hotplug already, - # so don't complain in syslog. - QUIET=-q - start -} diff --git a/firewall/files/firewall.user b/firewall/files/firewall.user deleted file mode 100644 index 6f79906..0000000 --- a/firewall/files/firewall.user +++ /dev/null @@ -1,7 +0,0 @@ -# This file is interpreted as shell script. -# Put your custom iptables rules here, they will -# be executed with each firewall (re-)start. - -# Internal uci firewall chains are flushed and recreated on reload, so -# put custom rules into the root chains e.g. INPUT or FORWARD or into the -# special user chains, e.g. input_wan_rule or postrouting_lan_rule. |