API tools faq
paste
Guest User

Untitled

a guest
Jul 24th, 2025
10
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.85 KB | None | 0 0
raw download clone embed print report
  1. config defaults
  2. option syn_flood 1
  3. option input REJECT
  4. option output ACCEPT
  5. option forward REJECT
  6. # Uncomment this line to disable ipv6 rules
  7. # option disable_ipv6 1
  8.  
  9. config zone
  10. option name lan
  11. list network 'lan'
  12. option input ACCEPT
  13. option output ACCEPT
  14. option forward ACCEPT
  15.  
  16. config zone
  17. option name wan
  18. list network 'wan'
  19. list network 'wan6'
  20. option input REJECT
  21. option output ACCEPT
  22. option forward REJECT
  23. option masq 1
  24. option mtu_fix 1
  25.  
  26. config forwarding
  27. option src lan
  28. option dest wan
  29.  
  30. # We need to accept udp packets on port 68,
  31. # see https://dev.openwrt.org/ticket/4108
  32. config rule
  33. option name Allow-DHCP-Renew
  34. option src wan
  35. option proto udp
  36. option dest_port 68
  37. option target ACCEPT
  38. option family ipv4
  39.  
  40. # Allow IPv4 ping
  41. config rule
  42. option name Allow-Ping
  43. option src wan
  44. option proto icmp
  45. option icmp_type echo-request
  46. option family ipv4
  47. option target ACCEPT
  48.  
  49. config rule
  50. option name Allow-IGMP
  51. option src wan
  52. option proto igmp
  53. option family ipv4
  54. option target ACCEPT
  55.  
  56. # Allow DHCPv6 replies
  57. # see https://github.com/openwrt/openwrt/issues/5066
  58. config rule
  59. option name Allow-DHCPv6
  60. option src wan
  61. option proto udp
  62. option dest_port 546
  63. option family ipv6
  64. option target ACCEPT
  65.  
  66. config rule
  67. option name Allow-MLD
  68. option src wan
  69. option proto icmp
  70. option src_ip fe80::/10
  71. list icmp_type '130/0'
  72. list icmp_type '131/0'
  73. list icmp_type '132/0'
  74. list icmp_type '143/0'
  75. option family ipv6
  76. option target ACCEPT
  77.  
  78. # Allow essential incoming IPv6 ICMP traffic
  79. config rule
  80. option name Allow-ICMPv6-Input
  81. option src wan
  82. option proto icmp
  83. list icmp_type echo-request
  84. list icmp_type echo-reply
  85. list icmp_type destination-unreachable
  86. list icmp_type packet-too-big
  87. list icmp_type time-exceeded
  88. list icmp_type bad-header
  89. list icmp_type unknown-header-type
  90. list icmp_type router-solicitation
  91. list icmp_type neighbour-solicitation
  92. list icmp_type router-advertisement
  93. list icmp_type neighbour-advertisement
  94. option limit 1000/sec
  95. option family ipv6
  96. option target ACCEPT
  97.  
  98. # Allow essential forwarded IPv6 ICMP traffic
  99. config rule
  100. option name Allow-ICMPv6-Forward
  101. option src wan
  102. option dest *
  103. option proto icmp
  104. list icmp_type echo-request
  105. list icmp_type echo-reply
  106. list icmp_type destination-unreachable
  107. list icmp_type packet-too-big
  108. list icmp_type time-exceeded
  109. list icmp_type bad-header
  110. list icmp_type unknown-header-type
  111. option limit 1000/sec
  112. option family ipv6
  113. option target ACCEPT
  114.  
  115. config rule
  116. option name Allow-IPSec-ESP
  117. option src wan
  118. option dest lan
  119. option proto esp
  120. option target ACCEPT
  121.  
  122. config rule
  123. option name Allow-ISAKMP
  124. option src wan
  125. option dest lan
  126. option dest_port 500
  127. option proto udp
  128. option target ACCEPT
  129.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!