202 lines
4.1 KiB
Plaintext
202 lines
4.1 KiB
Plaintext
|
|
config defaults '1'
|
|
option syn_flood '1'
|
|
option input 'REJECT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option flow_offloading '0'
|
|
|
|
config zone '2'
|
|
option name 'lan'
|
|
list network 'lan'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'ACCEPT'
|
|
|
|
config zone '3'
|
|
option name 'wan'
|
|
option input 'REJECT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option masq '1'
|
|
option mtu_fix '1'
|
|
option network 'wan wan6 mob1s1a1 mob2s1a1'
|
|
|
|
config forwarding '4'
|
|
option src 'lan'
|
|
option dest 'wan'
|
|
|
|
config rule '5'
|
|
option name 'Allow-DHCP-Renew'
|
|
option src 'wan'
|
|
list proto 'udp'
|
|
option dest_port '68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
option priority '1'
|
|
|
|
config rule '6'
|
|
option name 'Allow-Ping'
|
|
option src 'wan'
|
|
list proto 'icmp'
|
|
option icmp_type 'echo-request'
|
|
option family 'ipv4'
|
|
option target 'ACCEPT'
|
|
option priority '2'
|
|
|
|
config rule '7'
|
|
option name 'Allow-IGMP'
|
|
option src 'wan'
|
|
list proto 'igmp'
|
|
option family 'ipv4'
|
|
option target 'ACCEPT'
|
|
option priority '3'
|
|
|
|
config rule '8'
|
|
option name 'Allow-DHCPv6'
|
|
option src 'wan'
|
|
list proto 'udp'
|
|
option src_ip 'fc00::/6'
|
|
option dest_ip 'fc00::/6'
|
|
option dest_port '546'
|
|
option family 'ipv6'
|
|
option target 'ACCEPT'
|
|
option priority '4'
|
|
|
|
config rule '9'
|
|
option name 'Allow-MLD'
|
|
option src 'wan'
|
|
list proto 'icmp'
|
|
option src_ip 'fe80::/10'
|
|
list icmp_type '130/0'
|
|
list icmp_type '131/0'
|
|
list icmp_type '132/0'
|
|
list icmp_type '143/0'
|
|
option family 'ipv6'
|
|
option target 'ACCEPT'
|
|
option priority '5'
|
|
|
|
config rule '10'
|
|
option name 'Allow-ICMPv6-Input'
|
|
option src 'wan'
|
|
list proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
list icmp_type 'router-solicitation'
|
|
list icmp_type 'neighbour-solicitation'
|
|
list icmp_type 'router-advertisement'
|
|
list icmp_type 'neighbour-advertisement'
|
|
option limit '1000/sec'
|
|
option family 'ipv6'
|
|
option target 'ACCEPT'
|
|
option priority '6'
|
|
|
|
config rule '11'
|
|
option name 'Allow-ICMPv6-Forward'
|
|
option src 'wan'
|
|
option dest '*'
|
|
list proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
option limit '1000/sec'
|
|
option family 'ipv6'
|
|
option target 'ACCEPT'
|
|
option priority '7'
|
|
|
|
config rule '12'
|
|
option name 'Allow-IPSec-ESP'
|
|
option src 'wan'
|
|
option dest 'lan'
|
|
list proto 'esp'
|
|
option target 'ACCEPT'
|
|
option priority '8'
|
|
|
|
config rule '13'
|
|
option name 'Allow-ISAKMP'
|
|
option src 'wan'
|
|
option dest 'lan'
|
|
option dest_port '500'
|
|
list proto 'udp'
|
|
option target 'ACCEPT'
|
|
option priority '9'
|
|
|
|
config include '14'
|
|
option path '/etc/firewall.user'
|
|
|
|
config rule '15'
|
|
option dest_port '22'
|
|
list proto 'tcp'
|
|
option name 'Enable_SSH_WAN'
|
|
option target 'ACCEPT'
|
|
option src 'wan'
|
|
option priority '10'
|
|
|
|
config rule '16'
|
|
list proto 'tcp'
|
|
option name 'Enable_HTTP_WAN'
|
|
option target 'ACCEPT'
|
|
option src 'wan'
|
|
option priority '11'
|
|
list dest_port '80'
|
|
|
|
config rule '17'
|
|
list proto 'tcp'
|
|
option name 'Enable_HTTPS_WAN'
|
|
option target 'ACCEPT'
|
|
option src 'wan'
|
|
option priority '12'
|
|
list dest_port '443'
|
|
|
|
config rule '18'
|
|
option dest_port '4200-4220'
|
|
list proto 'tcp'
|
|
option name 'Enable_CLI_WAN'
|
|
option target 'ACCEPT'
|
|
option src 'wan'
|
|
option enabled '0'
|
|
option priority '13'
|
|
|
|
config rule '19'
|
|
option src_port '5353'
|
|
option src 'lan'
|
|
option name 'Allow-mDNS'
|
|
option target 'ACCEPT'
|
|
list dest_ip '224.0.0.251'
|
|
option dest_port '5353'
|
|
list proto 'udp'
|
|
option priority '14'
|
|
|
|
config include 'pscan'
|
|
option port_scan '0'
|
|
option type 'script'
|
|
option reload '1'
|
|
option path '/usr/bin/attack_prevention'
|
|
|
|
config rule '20'
|
|
option src 'lan'
|
|
option name 'Block LAN'
|
|
option priority '15'
|
|
option dest 'wan'
|
|
option enabled '1'
|
|
list proto 'all'
|
|
option target 'DROP'
|
|
|
|
config rule '21'
|
|
option dest_port '502'
|
|
option proto 'tcp'
|
|
option name 'Enable_MODBUSD_WAN'
|
|
option target 'ACCEPT'
|
|
option src 'wan'
|
|
option enabled '1'
|
|
|