From 4a7eefce73a2246e7437119ea2b6904ae7d50503 Mon Sep 17 00:00:00 2001 From: Bin Lu Date: Wed, 23 May 2018 10:33:18 +0800 Subject: enable image building for openwrt demo Change-Id: Id464f064e9a7c4a55244c3cec4b3303a4ed0a889 Signed-off-by: Bin Lu --- .../1_buildimage/resources/config/firewall | 149 +++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 src/arm/openwrt_demo/1_buildimage/resources/config/firewall (limited to 'src/arm/openwrt_demo/1_buildimage/resources/config/firewall') diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/firewall b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall new file mode 100644 index 0000000..faa8851 --- /dev/null +++ b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall @@ -0,0 +1,149 @@ + +config rule + option name '-testcustomer' + option src '*' + option src_ip '192.168.10.1/32' + option dest '*' + option dest_ip '151.101.0.0/16' + option target 'REJECT' + +config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option src_ip 'fc00::/6' + option dest_ip 'fc00::/6' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option target 'ACCEPT' + option src 'lan' + option proto 'esp' + option src_ip '192.168.10.0/24' + option dest '*' + option name 'ipsecin' + +config rule + option target 'ACCEPT' + option proto 'esp' + option src '*' + option dest 'lan' + option dest_ip '192.168.10.0/24' + option name 'ipsecout' + +config rule + option target 'ACCEPT' + option proto 'udp' + option src 'lan' + option dest_port '500' + option name 'ipsec' + +config rule + option target 'ACCEPT' + option name '-ipsecnat' + option proto 'udp' + option src 'lan' + option dest_port '4500' + +config defaults + option syn_flood '1' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +config zone + option name 'lan' + list network 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + +config zone + option name 'wan' + list network 'wan' + list network 'wan6' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' + +config forwarding + option src 'lan' + option dest 'wan' + +config include + option path '/etc/firewall.user' + -- cgit 1.2.3-korg