root@OpenWrt:~# cat /etc/config/firewallconfig defaults option syn_flood 1

1. root@OpenWrt:~# cat /etc/config/firewall
2. config defaults
3.     option syn_flood    1
4.     option input        ACCEPT
5.     option output       ACCEPT
6.     option forward      REJECT
7. # Uncomment this line to disable ipv6 rules
8. #   option disable_ipv6 1
9.  
10. config zone
11.     option name     lan
12.     option network      'lan'
13.     option input        ACCEPT
14.     option output       ACCEPT
15.     option forward      REJECT
16.  
17. config zone
18.     option name     wan
19.     option network      'wan vpn'
20.     option input        REJECT
21.     option output       ACCEPT
22.     option forward      REJECT
23.     option masq     1
24.     option mtu_fix      1
25.  
26. config forwarding
27.     option src          lan
28.     option dest         wan
29.  
30. # We need to accept udp packets on port 68,
31. # see https://dev.openwrt.org/ticket/4108
32. config rule
33.     option name     Allow-DHCP-Renew
34.     option src      wan
35.     option proto        udp
36.     option dest_port    68
37.     option target       ACCEPT
38.     option family       ipv4
39.  
40. # Allow IPv4 ping
41. config rule
42.     option name     Allow-Ping
43.     option src      wan
44.     option proto        icmp
45.     option icmp_type    echo-request
46.     option family       ipv4
47.     option target       ACCEPT
48.  
49. # Allow DHCPv6 replies
50. # see https://dev.openwrt.org/ticket/10381
51. config rule
52.     option name     Allow-DHCPv6
53.     option src      wan
54.     option proto        udp
55.     option src_ip       fe80::/10
56.     option src_port     547
57.     option dest_ip      fe80::/10
58.     option dest_port    546
59.     option family       ipv6
60.     option target       ACCEPT
61.  
62. # Allow essential incoming IPv6 ICMP traffic
63. config rule
64.     option name     Allow-ICMPv6-Input
65.     option src      wan
66.     option proto    icmp
67.     list icmp_type      echo-request
68.     list icmp_type      destination-unreachable
69.     list icmp_type      packet-too-big
70.     list icmp_type      time-exceeded
71.     list icmp_type      bad-header
72.     list icmp_type      unknown-header-type
73.     list icmp_type      router-solicitation
74.     list icmp_type      neighbour-solicitation
75.     list icmp_type      router-advertisement
76.     list icmp_type      neighbour-advertisement
77.     option limit        1000/sec
78.     option family       ipv6
79.     option target       ACCEPT
80.  
81. # Allow essential forwarded IPv6 ICMP traffic
82. config rule                                  
83.     option name     Allow-ICMPv6-Forward
84.     option src      wan
85.     option dest     *
86.     option proto        icmp
87.     list icmp_type      echo-request
88.     list icmp_type      destination-unreachable
89.     list icmp_type      packet-too-big
90.     list icmp_type      time-exceeded
91.     list icmp_type      bad-header
92.     list icmp_type      unknown-header-type
93.     option limit        1000/sec
94.     option family       ipv6
95.     option target       ACCEPT
96.  
97. # include a file with users custom iptables rules
98. config include
99.     option path /etc/firewall.user
100.  
101.  
102. ### EXAMPLE CONFIG SECTIONS
103. # do not allow a specific ip to access wan
104. #config rule
105. #   option src      lan
106. #   option src_ip   192.168.45.2
107. #   option dest     wan
108. #   option proto    tcp
109. #   option target   REJECT
110.  
111. # block a specific mac on wan
112. #config rule
113. #   option dest     wan
114. #   option src_mac  00:11:22:33:44:66
115. #   option target   REJECT
116.  
117. # block incoming ICMP traffic on a zone
118. #config rule
119. #   option src      lan
120. #   option proto    ICMP
121. #   option target   DROP
122.  
123. # port redirect port coming in on wan to lan
124. #config redirect
125. #   option src          wan
126. #   option src_dport    80
127. #   option dest         lan
128. #   option dest_ip      192.168.16.235
129. #   option dest_port    80
130. #   option proto        tcp
131.  
132. config redirect
133.     option src  wan
134.     option src_dport    80
135.     option dest lan
136.     option dest_ip  192.168.1.131
137.     option dest_port    80
138.     option proto    tcpudp
139.    
140. config redirect
141.     option src  wan
142.     option src_dport    443
143.     option dest     lan
144.     option dest_ip      192.168.1.131
145.     option dest_port    443
146.     option proto        tcpudp
147.    
148. config redirect
149.     option src  wan
150.     option src_dport    5555
151.     option dest_ip  192.168.1.131
152.     option dest_port 22
153.     option dest     lan
154.     option target   DNAT
155.     option proto tcp
156. ### FULL CONFIG SECTIONS
157. #config rule
158. #   option src      lan
159. #   option src_ip   192.168.45.2
160. #   option src_mac  00:11:22:33:44:55
161. #   option src_port 80
162. #   option dest     wan
163. #   option dest_ip  194.25.2.129
164. #   option dest_port    120
165. #   option proto    tcp
166. #   option target   REJECT
167.  
168. #config redirect
169. #   option src      lan
170. #   option src_ip   192.168.45.2
171. #   option src_mac  00:11:22:33:44:55
172. #   option src_port     1024
173. #   option src_dport    80
174. #   option dest_ip  194.25.2.129
175. #   option dest_port    120
176. #   option proto    tcp