Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
diff --git a/config/firewall b/config/firewall
index 7be01d2..c14a034 100644
--- a/config/firewall
+++ b/config/firewall
@@ -1,195 +1,139 @@
+
config defaults
- option syn_flood 1
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
-# Uncomment this line to disable ipv6 rules
-# option disable_ipv6 1
+ option syn_flood '1'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
config zone
- option name lan
- list network 'lan'
- option input ACCEPT
- option output ACCEPT
- option forward ACCEPT
+ option name 'lan'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'ACCEPT'
+ option network 'lan'
config zone
- option name wan
- list network 'wan'
- list network 'wan6'
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
+ option name 'wan'
+ option input 'REJECT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+ option masq '1'
+ option mtu_fix '1'
+ option network 'wan wan6'
config forwarding
- option src lan
- option dest wan
+ option src 'lan'
+ option dest 'wan'
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
config rule
- option name Allow-DHCP-Renew
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
- option family ipv4
-
-# Allow IPv4 ping
+ option name 'Allow-DHCP-Renew'
+ option src 'wan'
+ option proto 'udp'
+ option dest_port '68'
+ option target 'ACCEPT'
+ option family 'ipv4'
+
config rule
- option name Allow-Ping
- option src wan
- option proto icmp
- option icmp_type echo-request
- option family ipv4
- option target ACCEPT
+ option name 'Allow-Ping'
+ option src 'wan'
+ option proto 'icmp'
+ option icmp_type 'echo-request'
+ option family 'ipv4'
+ option target 'ACCEPT'
config rule
- option name Allow-IGMP
- option src wan
- option proto igmp
- option family ipv4
- option target ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
+ option name 'Allow-IGMP'
+ option src 'wan'
+ option proto 'igmp'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
config rule
- option name Allow-DHCPv6
- option src wan
- option proto udp
- option src_ip fe80::/10
- option src_port 547
- option dest_ip fe80::/10
- option dest_port 546
- option family ipv6
- option target ACCEPT
+ option name 'Allow-DHCPv6'
+ option src 'wan'
+ option proto 'udp'
+ option src_ip 'fe80::/10'
+ option src_port '547'
+ option dest_ip 'fe80::/10'
+ option dest_port '546'
+ option family 'ipv6'
+ option target 'ACCEPT'
config rule
- option name Allow-MLD
- option src wan
- option proto icmp
- option src_ip fe80::/10
- list icmp_type '130/0'
- list icmp_type '131/0'
- list icmp_type '132/0'
- list icmp_type '143/0'
- option family ipv6
- option target ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
+ option name 'Allow-MLD'
+ option src 'wan'
+ option proto 'icmp'
+ option src_ip 'fe80::/10'
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
config rule
- option name Allow-ICMPv6-Input
- option src wan
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- list icmp_type router-solicitation
- list icmp_type neighbour-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-advertisement
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
+ option name 'Allow-ICMPv6-Input'
+ option src 'wan'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ list icmp_type 'router-solicitation'
+ list icmp_type 'neighbour-solicitation'
+ list icmp_type 'router-advertisement'
+ list icmp_type 'neighbour-advertisement'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
config rule
- option name Allow-ICMPv6-Forward
- option src wan
- option dest *
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
-
-# include a file with users custom iptables rules
+ option name 'Allow-ICMPv6-Forward'
+ option src 'wan'
+ option dest '*'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
config include
- option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option dest wan
-# option proto tcp
-# option target REJECT
-
-# block a specific mac on wan
-#config rule
-# option dest wan
-# option src_mac 00:11:22:33:44:66
-# option target REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-# option src lan
-# option proto ICMP
-# option target DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-# option src wan
-# option src_dport 80
-# option dest lan
-# option dest_ip 192.168.16.235
-# option dest_port 80
-# option proto tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-# option src wan
-# option src_dport 22001
-# option dest lan
-# option dest_port 22
-# option proto tcp
-
-# allow IPsec/ESP and ISAKMP passthrough
+ option path '/etc/firewall.user'
+
+config rule
+ option src 'wan'
+ option dest 'lan'
+ option proto 'esp'
+ option target 'ACCEPT'
+
config rule
- option src wan
- option dest lan
- option proto esp
- option target ACCEPT
+ option src 'wan'
+ option dest 'lan'
+ option dest_port '500'
+ option proto 'udp'
+ option target 'ACCEPT'
+
+config zone
+ option name 'limited'
+ option input 'ACCEPT'
+ option forward 'REJECT'
+ option output 'ACCEPT'
+ option network 'limited_lan'
config rule
- option src wan
- option dest lan
- option dest_port 500
- option proto udp
- option target ACCEPT
-
-### FULL CONFIG SECTIONS
-#config rule
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 80
-# option dest wan
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
-# option target REJECT
-
-#config redirect
-# option src lan
-# option src_ip 192.168.45.2
-# option src_mac 00:11:22:33:44:55
-# option src_port 1024
-# option src_dport 80
-# option dest_ip 194.25.2.129
-# option dest_port 120
-# option proto tcp
+ option target 'ACCEPT'
+ option src 'limited'
+ option dest 'wan'
+ option name 'berlin-ccc-dns'
+ option proto 'all'
+ option dest_ip '213.73.91.35'
+
diff --git a/config/network b/config/network
index e15871a..c9c5e4f 100644
--- a/config/network
+++ b/config/network
@@ -6,7 +6,7 @@ config interface 'loopback'
option netmask '255.0.0.0'
config globals 'globals'
- option ula_prefix 'fd45:46bf:26e1::/48'
+ option ula_prefix 'fd46:0848:2ff5::/48'
config interface 'lan'
option ifname 'eth0.1'
@@ -29,14 +29,28 @@ config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
+ option mirror_source_port '0'
+ option mirror_monitor_port '0'
+ option enable_vlan4k '1'
config switch_vlan
option device 'switch0'
option vlan '1'
- option ports '1 2 3 4 5t'
+ option ports '1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
+config switch_vlan
+ option device 'switch0'
+ option ports '4 5t'
+ option vlan '42'
+
+config interface 'limited_lan'
+ option proto 'static'
+ option ifname 'eth0.42'
+ option ipaddr '10.23.42.1'
+ option netmask '255.255.255.0'
+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.