From 82b6fdad3e720a59a8314e74a9b9f87775ec2514 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 18 May 2021 22:56:05 +0200 Subject: firewall: remove for now --- firewall/files/firewall.config | 195 ----------------------------------------- 1 file changed, 195 deletions(-) delete mode 100644 firewall/files/firewall.config (limited to 'firewall/files/firewall.config') diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config deleted file mode 100644 index 8874e98..0000000 --- a/firewall/files/firewall.config +++ /dev/null @@ -1,195 +0,0 @@ -config defaults - option syn_flood 1 - option input ACCEPT - option output ACCEPT - option forward REJECT -# Uncomment this line to disable ipv6 rules -# option disable_ipv6 1 - -config zone - option name lan - list network 'lan' - option input ACCEPT - option output ACCEPT - option forward ACCEPT - -config zone - option name wan - list network 'wan' - list network 'wan6' - option input REJECT - option output ACCEPT - option forward REJECT - option masq 1 - option mtu_fix 1 - -config forwarding - option src lan - option dest wan - -# We need to accept udp packets on port 68, -# see https://dev.openwrt.org/ticket/4108 -config rule - option name Allow-DHCP-Renew - option src wan - option proto udp - option dest_port 68 - option target ACCEPT - option family ipv4 - -# Allow IPv4 ping -config rule - option name Allow-Ping - option src wan - option proto icmp - option icmp_type echo-request - option family ipv4 - option target ACCEPT - -config rule - option name Allow-IGMP - option src wan - option proto igmp - option family ipv4 - option target ACCEPT - -# Allow DHCPv6 replies -# see https://dev.openwrt.org/ticket/10381 -config rule - option name Allow-DHCPv6 - option src wan - option proto udp - option src_ip fc00::/6 - option dest_ip fc00::/6 - option dest_port 546 - option family ipv6 - option target ACCEPT - -config rule - option name Allow-MLD - option src wan - option proto icmp - option src_ip fe80::/10 - list icmp_type '130/0' - list icmp_type '131/0' - list icmp_type '132/0' - list icmp_type '143/0' - option family ipv6 - option target ACCEPT - -# Allow essential incoming IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Input - option src wan - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - list icmp_type router-solicitation - list icmp_type neighbour-solicitation - list icmp_type router-advertisement - list icmp_type neighbour-advertisement - option limit 1000/sec - option family ipv6 - option target ACCEPT - -# Allow essential forwarded IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Forward - option src wan - option dest * - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - option limit 1000/sec - option family ipv6 - option target ACCEPT - -config rule - option name Allow-IPSec-ESP - option src wan - option dest lan - option proto esp - option target ACCEPT - -config rule - option name Allow-ISAKMP - option src wan - option dest lan - option dest_port 500 - option proto udp - option target ACCEPT - -# include a file with users custom iptables rules -config include - option path /etc/firewall.user - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option proto tcp - -# port redirect of remapped ssh port (22001) on wan -#config redirect -# option src wan -# option src_dport 22001 -# option dest lan -# option dest_port 22 -# option proto tcp - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -- cgit v1.2.3