aredn/files/etc/config.mesh/firewall

265 lines
4.4 KiB
Plaintext

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'wifi'
option network 'wifi'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config zone
option name 'dtdlink'
<dtdlink_interfaces>
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config zone
option name 'vpn'
<vpn_interfaces>
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wifi'
config forwarding
option src 'wifi'
option dest 'wifi'
config forwarding
option src 'lan'
option dest 'dtdlink'
config forwarding
option src 'wifi'
option dest 'dtdlink'
config forwarding
option src 'dtdlink'
option dest 'wifi'
config forwarding
option src 'dtdlink'
option dest 'dtdlink'
config forwarding
option src 'vpn'
option dest 'wifi'
config forwarding
option src 'wifi'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'dtdlink'
config forwarding
option src 'dtdlink'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'vpn'
config rule
option name 'Allow-Ping'
option src 'wifi'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'dtdlink'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'vpn'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config include
option path '/usr/local/bin/mesh-firewall'
option fw4_compatible '1'
config include
option path '/etc/firewall.user'
option fw4_compatible '1'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '2222'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '8080'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '698'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '23'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '2222'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '8080'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '698'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '23'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '2222'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '8080'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '698'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '23'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '161'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '161'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '161'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wifi'
option dest_port '9090'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'dtdlink'
option dest_port '9090'
option proto 'tcp'
option target 'ACCEPT'
config rule
option src 'vpn'
option dest_port '9090'
option proto 'tcp'
option target 'ACCEPT'