diff options
author | Bin Lu <bin.lu@arm.com> | 2018-05-23 10:33:18 +0800 |
---|---|---|
committer | Bin Lu <bin.lu@arm.com> | 2018-05-23 10:34:26 +0800 |
commit | 4a7eefce73a2246e7437119ea2b6904ae7d50503 (patch) | |
tree | 66c2404d8dbb5d6568e27da72962b6ae7a268278 /src/arm/openwrt_demo/1_buildimage/resources/config/firewall | |
parent | b1f11b54803266384cf0d9e14fcb7204dbcc79a7 (diff) |
enable image building for openwrt demo
Change-Id: Id464f064e9a7c4a55244c3cec4b3303a4ed0a889
Signed-off-by: Bin Lu <bin.lu@arm.com>
Diffstat (limited to 'src/arm/openwrt_demo/1_buildimage/resources/config/firewall')
-rw-r--r-- | src/arm/openwrt_demo/1_buildimage/resources/config/firewall | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/firewall b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall new file mode 100644 index 0000000..faa8851 --- /dev/null +++ b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall @@ -0,0 +1,149 @@ + +config rule + option name '-testcustomer' + option src '*' + option src_ip '192.168.10.1/32' + option dest '*' + option dest_ip '151.101.0.0/16' + option target 'REJECT' + +config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option src_ip 'fc00::/6' + option dest_ip 'fc00::/6' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option target 'ACCEPT' + option src 'lan' + option proto 'esp' + option src_ip '192.168.10.0/24' + option dest '*' + option name 'ipsecin' + +config rule + option target 'ACCEPT' + option proto 'esp' + option src '*' + option dest 'lan' + option dest_ip '192.168.10.0/24' + option name 'ipsecout' + +config rule + option target 'ACCEPT' + option proto 'udp' + option src 'lan' + option dest_port '500' + option name 'ipsec' + +config rule + option target 'ACCEPT' + option name '-ipsecnat' + option proto 'udp' + option src 'lan' + option dest_port '4500' + +config defaults + option syn_flood '1' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +config zone + option name 'lan' + list network 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + +config zone + option name 'wan' + list network 'wan' + list network 'wan6' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' + +config forwarding + option src 'lan' + option dest 'wan' + +config include + option path '/etc/firewall.user' + |