summaryrefslogtreecommitdiffstats
path: root/src/arm/openwrt_demo/1_buildimage/resources/config/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'src/arm/openwrt_demo/1_buildimage/resources/config/firewall')
-rw-r--r--src/arm/openwrt_demo/1_buildimage/resources/config/firewall149
1 files changed, 149 insertions, 0 deletions
diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/firewall b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall
new file mode 100644
index 0000000..faa8851
--- /dev/null
+++ b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall
@@ -0,0 +1,149 @@
+
+config rule
+ option name '-testcustomer'
+ option src '*'
+ option src_ip '192.168.10.1/32'
+ option dest '*'
+ option dest_ip '151.101.0.0/16'
+ option target 'REJECT'
+
+config rule
+ option name 'Allow-DHCP-Renew'
+ option src 'wan'
+ option proto 'udp'
+ option dest_port '68'
+ option target 'ACCEPT'
+ option family 'ipv4'
+
+config rule
+ option name 'Allow-Ping'
+ option src 'wan'
+ option proto 'icmp'
+ option icmp_type 'echo-request'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-IGMP'
+ option src 'wan'
+ option proto 'igmp'
+ option family 'ipv4'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-DHCPv6'
+ option src 'wan'
+ option proto 'udp'
+ option src_ip 'fc00::/6'
+ option dest_ip 'fc00::/6'
+ option dest_port '546'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-MLD'
+ option src 'wan'
+ option proto 'icmp'
+ option src_ip 'fe80::/10'
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Input'
+ option src 'wan'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ list icmp_type 'router-solicitation'
+ list icmp_type 'neighbour-solicitation'
+ list icmp_type 'router-advertisement'
+ list icmp_type 'neighbour-advertisement'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option name 'Allow-ICMPv6-Forward'
+ option src 'wan'
+ option dest '*'
+ option proto 'icmp'
+ list icmp_type 'echo-request'
+ list icmp_type 'echo-reply'
+ list icmp_type 'destination-unreachable'
+ list icmp_type 'packet-too-big'
+ list icmp_type 'time-exceeded'
+ list icmp_type 'bad-header'
+ list icmp_type 'unknown-header-type'
+ option limit '1000/sec'
+ option family 'ipv6'
+ option target 'ACCEPT'
+
+config rule
+ option target 'ACCEPT'
+ option src 'lan'
+ option proto 'esp'
+ option src_ip '192.168.10.0/24'
+ option dest '*'
+ option name 'ipsecin'
+
+config rule
+ option target 'ACCEPT'
+ option proto 'esp'
+ option src '*'
+ option dest 'lan'
+ option dest_ip '192.168.10.0/24'
+ option name 'ipsecout'
+
+config rule
+ option target 'ACCEPT'
+ option proto 'udp'
+ option src 'lan'
+ option dest_port '500'
+ option name 'ipsec'
+
+config rule
+ option target 'ACCEPT'
+ option name '-ipsecnat'
+ option proto 'udp'
+ option src 'lan'
+ option dest_port '4500'
+
+config defaults
+ option syn_flood '1'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+
+config zone
+ option name 'lan'
+ list network 'lan'
+ option input 'ACCEPT'
+ option output 'ACCEPT'
+ option forward 'ACCEPT'
+
+config zone
+ option name 'wan'
+ list network 'wan'
+ list network 'wan6'
+ option input 'REJECT'
+ option output 'ACCEPT'
+ option forward 'REJECT'
+ option masq '1'
+ option mtu_fix '1'
+
+config forwarding
+ option src 'lan'
+ option dest 'wan'
+
+config include
+ option path '/etc/firewall.user'
+