API tools faq
paste
Advertisement
Guest User

firewall

a guest
Dec 18th, 2013
563
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.01 KB | None | 0 0
raw download clone embed print report
  1. root@Router-wawa:~# cat /etc/config/firewall
  2.  
  3. config defaults
  4. option syn_flood '1'
  5. option input 'ACCEPT'
  6. option output 'ACCEPT'
  7. option forward 'REJECT'
  8. option force_router_dns '1'
  9.  
  10. config zone
  11. option name 'lan'
  12. list network 'lan'
  13. option input 'ACCEPT'
  14. option output 'ACCEPT'
  15. option forward 'REJECT'
  16.  
  17. config zone
  18. option name 'wan'
  19. list network 'wan'
  20. list network 'wan6'
  21. option input 'REJECT'
  22. option output 'ACCEPT'
  23. option forward 'REJECT'
  24. option masq '1'
  25. option mtu_fix '1'
  26.  
  27. config forwarding
  28. option src 'lan'
  29. option dest 'wan'
  30.  
  31. config rule
  32. option name 'Allow-DHCP-Renew'
  33. option src 'wan'
  34. option proto 'udp'
  35. option dest_port '68'
  36. option target 'ACCEPT'
  37. option family 'ipv4'
  38.  
  39. config rule
  40. option name 'Allow-Ping'
  41. option src 'wan'
  42. option proto 'icmp'
  43. option icmp_type 'echo-request'
  44. option family 'ipv4'
  45. option target 'ACCEPT'
  46.  
  47. config rule
  48. option name 'Allow-DHCPv6'
  49. option src 'wan'
  50. option proto 'udp'
  51. option src_ip 'fe80::/10'
  52. option src_port '547'
  53. option dest_ip 'fe80::/10'
  54. option dest_port '546'
  55. option family 'ipv6'
  56. option target 'ACCEPT'
  57.  
  58. config rule
  59. option name 'Allow-ICMPv6-Input'
  60. option src 'wan'
  61. option proto 'icmp'
  62. list icmp_type 'echo-request'
  63. list icmp_type 'echo-reply'
  64. list icmp_type 'destination-unreachable'
  65. list icmp_type 'packet-too-big'
  66. list icmp_type 'time-exceeded'
  67. list icmp_type 'bad-header'
  68. list icmp_type 'unknown-header-type'
  69. list icmp_type 'router-solicitation'
  70. list icmp_type 'neighbour-solicitation'
  71. list icmp_type 'router-advertisement'
  72. list icmp_type 'neighbour-advertisement'
  73. option limit '1000/sec'
  74. option family 'ipv6'
  75. option target 'ACCEPT'
  76.  
  77. config rule
  78. option name 'Allow-ICMPv6-Forward'
  79. option src 'wan'
  80. option dest '*'
  81. option proto 'icmp'
  82. list icmp_type 'echo-request'
  83. list icmp_type 'echo-reply'
  84. list icmp_type 'destination-unreachable'
  85. list icmp_type 'packet-too-big'
  86. list icmp_type 'time-exceeded'
  87. list icmp_type 'bad-header'
  88. list icmp_type 'unknown-header-type'
  89. option limit '1000/sec'
  90. option family 'ipv6'
  91. option target 'ACCEPT'
  92.  
  93. config include
  94. option path '/etc/firewall.user'
  95. option reload '1'
  96.  
  97. config include
  98. option type 'script'
  99. option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
  100. option family 'IPv4'
  101. option reload '1'
  102.  
  103. config include 'miniupnpd'
  104. option type 'script'
  105. option path '/usr/share/miniupnpd/firewall.include'
  106. option family 'IPv4'
  107. option reload '1'
  108.  
  109. config include 'openvpn_include_file'
  110. option path '/etc/openvpn.firewall'
  111. option reload '1'
  112.  
  113. config remote_accept 'ra_443_444'
  114. option local_port '443'
  115. option remote_port '444'
  116. option proto 'tcp'
  117. option zone 'wan'
  118.  
  119. config remote_accept 'ra_22_44'
  120. option local_port '22'
  121. option remote_port '44'
  122. option proto 'tcp'
  123. option zone 'wan'
  124.  
  125. config remote_accept 'ra_openvpn'
  126. option zone 'wan'
  127. option local_port '1194'
  128. option remote_port '1194'
  129. option proto 'udp'
  130.  
  131. config rule
  132. option src 'wan'
  133. option dest 'lan'
  134. option proto 'gre'
  135. option target 'ACCEPT'
  136.  
  137. config rule
  138. option src 'wan'
  139. option dest 'lan'
  140. option proto 'udptcp'
  141. option dest_port '1723'
  142. option target 'ACCEPT'
  143.  
  144. config rule
  145. option src 'wan'
  146. option dest 'lan'
  147. option proto 'ah'
  148. option target 'ACCEPT'
  149.  
  150. config rule
  151. option src 'wan'
  152. option dest 'lan'
  153. option proto 'esp'
  154. option target 'ACCEPT'
  155.  
  156. config rule
  157. option src 'wan'
  158. option dest 'lan'
  159. option proto 'udp'
  160. option src_port '500'
  161. option dest_port '500'
  162. option target 'ACCEPT'
  163.  
  164. config rule
  165. option target 'ACCEPT'
  166. option _name 'IPsec NAT-T'
  167. option src 'wan'
  168. option proto 'udp'
  169. option dest_port '4500'
  170.  
  171. config rule
  172. option target 'ACCEPT'
  173. option _name 'IPsec IKE'
  174. option src 'wan'
  175. option proto 'udp'
  176. option dest_port '500'
  177.  
  178. config rule
  179. option target 'ACCEPT'
  180. option _name 'IPsec ESP'
  181. option src 'wan'
  182. option proto 'udp'
  183.  
  184. config rule
  185. option target 'ACCEPT'
  186. option _name 'L2TP ESP'
  187. option src 'wan'
  188. option proto 'udp'
  189. option dest_port '1701'
  190. option extra '-m policy --strict --dir in --pol ipsec --proto esp'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!