6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
29 # We need to accept udp packets on port 68,
30 # see https://dev.openwrt.org/ticket/4108
32 option name Allow-DHCP-Renew
41 option name Allow-Ping
44 option icmp_type echo-request
48 # Allow DHCPv6 replies
49 # see https://dev.openwrt.org/ticket/10381
51 option name Allow-DHCPv6
54 option src_ip fe80::/10
56 option dest_ip fe80::/10
61 # Allow essential incoming IPv6 ICMP traffic
63 option name Allow-ICMPv6-Input
66 list icmp_type echo-request
67 list icmp_type echo-reply
68 list icmp_type destination-unreachable
69 list icmp_type packet-too-big
70 list icmp_type time-exceeded
71 list icmp_type bad-header
72 list icmp_type unknown-header-type
73 list icmp_type router-solicitation
74 list icmp_type neighbour-solicitation
75 list icmp_type router-advertisement
76 list icmp_type neighbour-advertisement
81 # Allow essential forwarded IPv6 ICMP traffic
83 option name Allow-ICMPv6-Forward
87 list icmp_type echo-request
88 list icmp_type echo-reply
89 list icmp_type destination-unreachable
90 list icmp_type packet-too-big
91 list icmp_type time-exceeded
92 list icmp_type bad-header
93 list icmp_type unknown-header-type
98 # Block ULA-traffic from leaking out
100 option name Enforce-ULA-Border-Src
104 option src_ip fc00::/7
109 option name Enforce-ULA-Border-Dest
113 option dest_ip fc00::/7
117 # include a file with users custom iptables rules
119 option path /etc/firewall.user
122 ### EXAMPLE CONFIG SECTIONS
123 # do not allow a specific ip to access wan
126 # option src_ip 192.168.45.2
129 # option target REJECT
131 # block a specific mac on wan
134 # option src_mac 00:11:22:33:44:66
135 # option target REJECT
137 # block incoming ICMP traffic on a zone
143 # port redirect port coming in on wan to lan
146 # option src_dport 80
148 # option dest_ip 192.168.16.235
149 # option dest_port 80
152 # port redirect of remapped ssh port (22001) on wan
155 # option src_dport 22001
157 # option dest_port 22
160 # allow IPsec/ESP and ISAKMP passthrough
164 # option protocol esp
165 # option target ACCEPT
170 # option src_port 500
171 # option dest_port 500
173 # option target ACCEPT
175 ### FULL CONFIG SECTIONS
178 # option src_ip 192.168.45.2
179 # option src_mac 00:11:22:33:44:55
182 # option dest_ip 194.25.2.129
183 # option dest_port 120
185 # option target REJECT
189 # option src_ip 192.168.45.2
190 # option src_mac 00:11:22:33:44:55
191 # option src_port 1024
192 # option src_dport 80
193 # option dest_ip 194.25.2.129
194 # option dest_port 120