diff options
| author | makefu <github@syntax-fehler.de> | 2013-01-14 14:46:22 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2013-01-14 14:46:22 +0100 |
| commit | dbe2d838ba6834788265029162b2dd7d82473335 (patch) | |
| tree | a4eb38f7fc91d91269b6f83453de62242c6ddc23 /minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall | |
| parent | 5a782f6c8f7923f9f415afd504ce6e71acbc7fef (diff) | |
| parent | abf9916bc1add17888308877fa4eb9da330297ef (diff) | |
Merge branch 'master' of github.com:krebscode/painload
Conflicts:
god/temper/Makefile
god/temper/collectd-temper.sh
Diffstat (limited to 'minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall')
| -rw-r--r-- | minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall b/minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall new file mode 100644 index 00000000..56f20aa7 --- /dev/null +++ b/minikrebs/profiles/rickroller_bare/customfiles/etc/config/firewall @@ -0,0 +1,112 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan' + option input ACCEPT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +config redirect + option src lan + option proto tcp + option src_dport 80 + option src_ip !192.168.23.1 + option dest_port 80 + option dest_ip 192.168.23.1 + option target DNAT + +config redirect + option src lan + option proto tcp + option src_dport 443 + option src_ip !192.168.23.1 + option dest_port 443 + option dest_ip 192.168.23.1 + option target DNAT |