summaryrefslogtreecommitdiff
path: root/firewall/files
diff options
context:
space:
mode:
Diffstat (limited to 'firewall/files')
-rw-r--r--firewall/files/firewall.config195
-rw-r--r--firewall/files/firewall.hotplug11
-rwxr-xr-xfirewall/files/firewall.init61
-rw-r--r--firewall/files/firewall.user7
4 files changed, 0 insertions, 274 deletions
diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config
deleted file mode 100644
index 8874e98..0000000
--- a/firewall/files/firewall.config
+++ /dev/null
@@ -1,195 +0,0 @@
-config defaults
- option syn_flood 1
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-# Uncomment this line to disable ipv6 rules
-# option disable_ipv6 1
-
-config zone
- option name lan
- list network 'lan'
- option input ACCEPT
- option output ACCEPT
- option forward ACCEPT
-
-config zone
- option name wan
- list network 'wan'
- list network 'wan6'
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
-
-config forwarding
- option src lan
- option dest wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
- option name Allow-DHCP-Renew
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
- option family ipv4
-
-# Allow IPv4 ping
-config rule
- option name Allow-Ping
- option src wan
- option proto icmp
- option icmp_type echo-request
- option family ipv4
- option target ACCEPT
-
-config rule
- option name Allow-IGMP
- option src wan
- option proto igmp
- option family ipv4
- option target ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
-config rule
- option name Allow-DHCPv6
- option src wan
- option proto udp
- option src_ip fc00::/6
- option dest_ip fc00::/6
- option dest_port 546
- option family ipv6
- option target ACCEPT
-
-config rule
- option name Allow-MLD
- option src wan
- option proto icmp
- option src_ip fe80::/10
- list icmp_type '130/0'
- list icmp_type '131/0'
- list icmp_type '132/0'
- list icmp_type '143/0'
- option family ipv6
- option target ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
-config rule
- option name Allow-ICMPv6-Input
- option src wan
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- list icmp_type router-solicitation
- list icmp_type neighbour-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-advertisement
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
-config rule
- option name Allow-ICMPv6-Forward
- option src wan
- option dest *
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-config rule
- option name Allow-IPSec-ESP
- option src wan
- option dest lan
- option proto esp
- option target ACCEPT
-
-config rule
- option name Allow-ISAKMP
- option src wan
- option dest lan
- option dest_port 500
- option proto udp
- option target ACCEPT
-
-# include a file with users custom iptables rules
-config include
- option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option dest wan
-# option proto tcp
-# option target REJECT
-
-# block a specific mac on wan
-#config rule
-# option dest wan
-# option src_mac 00:11:22:33:44:66
-# option target REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-# option src lan
-# option proto ICMP
-# option target DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-# option src wan
-# option src_dport 80
-# option dest lan
-# option dest_ip 192.168.16.235
-# option dest_port 80
-# option proto tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-# option src wan
-# option src_dport 22001
-# option dest lan
-# option dest_port 22
-# option proto tcp
-
-### FULL CONFIG SECTIONS
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 80
-# option dest wan
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
-# option target REJECT
-
-#config redirect
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 1024
-# option src_dport 80
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
diff --git a/firewall/files/firewall.hotplug b/firewall/files/firewall.hotplug
deleted file mode 100644
index f1eab00..0000000
--- a/firewall/files/firewall.hotplug
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
-[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
-
-/etc/init.d/firewall enabled || exit 0
-
-fw3 -q network "$INTERFACE" >/dev/null || exit 0
-
-logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
-fw3 -q reload
diff --git a/firewall/files/firewall.init b/firewall/files/firewall.init
deleted file mode 100755
index ee3ed1a..0000000
--- a/firewall/files/firewall.init
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=19
-USE_PROCD=1
-QUIET=""
-
-validate_firewall_redirect()
-{
- uci_validate_section firewall redirect "${1}" \
- 'proto:or(uinteger, string)' \
- 'src:string' \
- 'src_ip:cidr' \
- 'src_dport:or(port, portrange)' \
- 'dest:string' \
- 'dest_ip:cidr' \
- 'dest_port:or(port, portrange)' \
- 'target:or("SNAT", "DNAT")'
-}
-
-validate_firewall_rule()
-{
- uci_validate_section firewall rule "${1}" \
- 'proto:or(uinteger, string)' \
- 'src:string' \
- 'dest:string' \
- 'src_port:or(port, portrange)' \
- 'dest_port:or(port, portrange)' \
- 'target:string'
-}
-
-service_triggers() {
- procd_add_reload_trigger firewall
-
- procd_open_validate
- validate_firewall_redirect
- validate_firewall_rule
- procd_close_validate
-}
-
-restart() {
- fw3 restart
-}
-
-start_service() {
- fw3 ${QUIET} start
-}
-
-stop_service() {
- fw3 flush
-}
-
-reload_service() {
- fw3 reload
-}
-
-boot() {
- # Be silent on boot, firewall might be started by hotplug already,
- # so don't complain in syslog.
- QUIET=-q
- start
-}
diff --git a/firewall/files/firewall.user b/firewall/files/firewall.user
deleted file mode 100644
index 6f79906..0000000
--- a/firewall/files/firewall.user
+++ /dev/null
@@ -1,7 +0,0 @@
-# This file is interpreted as shell script.
-# Put your custom iptables rules here, they will
-# be executed with each firewall (re-)start.
-
-# Internal uci firewall chains are flushed and recreated on reload, so
-# put custom rules into the root chains e.g. INPUT or FORWARD or into the
-# special user chains, e.g. input_wan_rule or postrouting_lan_rule.