API tools faq
paste
Advertisement
August712

firewall

August712
Apr 3rd, 2022
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.13 KB | None | 0 0
raw download clone embed print report
  1. config defaults
  2. option input 'ACCEPT'
  3. option output 'ACCEPT'
  4. option synflood_protect '1'
  5. option forward 'REJECT'
  6.  
  7. config zone
  8. list network 'lan'
  9. option input 'ACCEPT'
  10. option output 'ACCEPT'
  11. option forward 'ACCEPT'
  12. option name 'lan'
  13.  
  14. config zone
  15. option output 'ACCEPT'
  16. option name 'servers'
  17. list network 'SERVER'
  18. option log '1'
  19. option forward 'ACCEPT'
  20. option input 'REJECT'
  21.  
  22. config zone
  23. option output 'ACCEPT'
  24. option name 'guest'
  25. option input 'REJECT'
  26. list network 'GUEST'
  27. option forward 'ACCEPT'
  28.  
  29. config zone
  30. option input 'ACCEPT'
  31. option output 'ACCEPT'
  32. option forward 'REJECT'
  33. option name 'iot'
  34. list network 'IOT'
  35.  
  36. config zone
  37. list network 'wan'
  38. list network 'wan6'
  39. option input 'REJECT'
  40. option output 'ACCEPT'
  41. option masq '1'
  42. option mtu_fix '1'
  43. option name 'wan'
  44. option forward 'REJECT'
  45.  
  46. config forwarding
  47. option src 'lan'
  48. option dest 'wan'
  49.  
  50. config forwarding
  51. option src 'lan'
  52. option dest 'iot'
  53.  
  54. config forwarding
  55. option src 'lan'
  56. option dest 'servers'
  57.  
  58. config forwarding
  59. option src 'guest'
  60. option dest 'wan'
  61.  
  62. config forwarding
  63. option src 'servers'
  64. option dest 'wan'
  65.  
  66. config rule
  67. option name 'Allow-DHCP-Renew'
  68. option proto 'udp'
  69. option dest_port '68'
  70. option target 'ACCEPT'
  71. option family 'ipv4'
  72. option src 'wan'
  73.  
  74. config rule
  75. option name 'Allow-Ping'
  76. option proto 'icmp'
  77. option icmp_type 'echo-request'
  78. option family 'ipv4'
  79. option target 'ACCEPT'
  80. option src 'wan'
  81.  
  82. config rule
  83. option name 'Allow-IGMP'
  84. option proto 'igmp'
  85. option family 'ipv4'
  86. option target 'ACCEPT'
  87. option src 'wan'
  88.  
  89. config rule
  90. option name 'Allow-DHCPv6'
  91. option proto 'udp'
  92. option src_ip 'fc00::/6'
  93. option dest_ip 'fc00::/6'
  94. option dest_port '546'
  95. option family 'ipv6'
  96. option target 'ACCEPT'
  97. option src 'wan'
  98.  
  99. config rule
  100. option name 'Allow-MLD'
  101. option proto 'icmp'
  102. option src_ip 'fe80::/10'
  103. list icmp_type '130/0'
  104. list icmp_type '131/0'
  105. list icmp_type '132/0'
  106. list icmp_type '143/0'
  107. option family 'ipv6'
  108. option target 'ACCEPT'
  109. option src 'wan'
  110.  
  111. config rule
  112. option name 'Allow-ICMPv6-Input'
  113. option proto 'icmp'
  114. list icmp_type 'echo-request'
  115. list icmp_type 'echo-reply'
  116. list icmp_type 'destination-unreachable'
  117. list icmp_type 'packet-too-big'
  118. list icmp_type 'time-exceeded'
  119. list icmp_type 'bad-header'
  120. list icmp_type 'unknown-header-type'
  121. list icmp_type 'router-solicitation'
  122. list icmp_type 'neighbour-solicitation'
  123. list icmp_type 'router-advertisement'
  124. list icmp_type 'neighbour-advertisement'
  125. option limit '1000/sec'
  126. option family 'ipv6'
  127. option target 'ACCEPT'
  128. option src 'wan'
  129.  
  130. config rule
  131. option name 'Allow-ICMPv6-Forward'
  132. option dest '*'
  133. option proto 'icmp'
  134. list icmp_type 'echo-request'
  135. list icmp_type 'echo-reply'
  136. list icmp_type 'destination-unreachable'
  137. list icmp_type 'packet-too-big'
  138. list icmp_type 'time-exceeded'
  139. list icmp_type 'bad-header'
  140. list icmp_type 'unknown-header-type'
  141. option limit '1000/sec'
  142. option family 'ipv6'
  143. option target 'ACCEPT'
  144. option src 'wan'
  145.  
  146. config rule
  147. option name 'Allow-IPSec-ESP'
  148. option proto 'esp'
  149. option target 'ACCEPT'
  150. option dest 'lan'
  151. option src 'wan'
  152.  
  153. config rule
  154. option name 'Allow-ISAKMP'
  155. option dest_port '500'
  156. option proto 'udp'
  157. option target 'ACCEPT'
  158. option dest 'lan'
  159. option src 'wan'
  160.  
  161. config rule
  162. option name 'Support-UDP-Traceroute'
  163. option dest_port '33434:33689'
  164. option proto 'udp'
  165. option family 'ipv4'
  166. option target 'REJECT'
  167. option enabled '0'
  168. option src 'wan'
  169.  
  170. config include
  171. option path '/etc/firewall.user' # <== editor's note: empty
  172.  
  173. config rule
  174. option name 'Guest - Allow DHCP and DNS'
  175. option src 'guest'
  176. option dest_port '53 67 68'
  177. option target 'ACCEPT'
  178.  
  179. config rule
  180. option name 'Servers - Allow DHCP'
  181. list proto 'udp'
  182. option src 'servers'
  183. option target 'ACCEPT'
  184. option dest_port '67 68'
  185.  
  186. config redirect
  187. option target 'DNAT'
  188. option name 'Test'
  189. option src 'wan'
  190. option src_dport '[Arbitrary port]'
  191. option dest_ip '[Local address within SERVER's IP range]'
  192. option dest_port '8000'
  193. option dest 'servers' # <== editor's note: this works when its set to 'lan'
  194. option enabled '1'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!