6 # Uncomment this line to disable ipv6 rules
7 # option disable_ipv6 1
30 # We need to accept udp packets on port 68,
31 # see https://dev.openwrt.org/ticket/4108
33 option name Allow-DHCP-Renew
42 option name Allow-Ping
45 option icmp_type echo-request
49 # Allow DHCPv6 replies
50 # see https://dev.openwrt.org/ticket/10381
52 option name Allow-DHCPv6
55 option src_ip fe80::/10
57 option dest_ip fe80::/10
62 # Allow essential incoming IPv6 ICMP traffic
64 option name Allow-ICMPv6-Input
67 list icmp_type echo-request
68 list icmp_type echo-reply
69 list icmp_type destination-unreachable
70 list icmp_type packet-too-big
71 list icmp_type time-exceeded
72 list icmp_type bad-header
73 list icmp_type unknown-header-type
74 list icmp_type router-solicitation
75 list icmp_type neighbour-solicitation
76 list icmp_type router-advertisement
77 list icmp_type neighbour-advertisement
82 # Allow essential forwarded IPv6 ICMP traffic
84 option name Allow-ICMPv6-Forward
88 list icmp_type echo-request
89 list icmp_type echo-reply
90 list icmp_type destination-unreachable
91 list icmp_type packet-too-big
92 list icmp_type time-exceeded
93 list icmp_type bad-header
94 list icmp_type unknown-header-type
99 # include a file with users custom iptables rules
101 option path /etc/firewall.user
104 ### EXAMPLE CONFIG SECTIONS
105 # do not allow a specific ip to access wan
108 # option src_ip 192.168.45.2
111 # option target REJECT
113 # block a specific mac on wan
116 # option src_mac 00:11:22:33:44:66
117 # option target REJECT
119 # block incoming ICMP traffic on a zone
125 # port redirect port coming in on wan to lan
128 # option src_dport 80
130 # option dest_ip 192.168.16.235
131 # option dest_port 80
134 # port redirect of remapped ssh port (22001) on wan
137 # option src_dport 22001
139 # option dest_port 22
142 # allow IPsec/ESP and ISAKMP passthrough
146 # option protocol esp
147 # option target ACCEPT
152 # option src_port 500
153 # option dest_port 500
155 # option target ACCEPT
157 ### FULL CONFIG SECTIONS
160 # option src_ip 192.168.45.2
161 # option src_mac 00:11:22:33:44:55
164 # option dest_ip 194.25.2.129
165 # option dest_port 120
167 # option target REJECT
171 # option src_ip 192.168.45.2
172 # option src_mac 00:11:22:33:44:55
173 # option src_port 1024
174 # option src_dport 80
175 # option dest_ip 194.25.2.129
176 # option dest_port 120