1config defaults 2 option syn_flood '1' 3 option input 'ACCEPT' 4 option output 'ACCEPT' 5 option forward 'REJECT' 6 7config zone 8 option name 'wifi0' 9 list network 'wifi0' 10 option input 'ACCEPT' 11 option output 'ACCEPT' 12 option forward 'REJECT' 13 14config forwarding 15 option src 'wifi0' 16 option dest 'wan' 17 18config zone 19 option name 'wifi1' 20 list network 'wifi1' 21 option input 'ACCEPT' 22 option output 'ACCEPT' 23 option forward 'REJECT' 24 25config forwarding 26 option src 'wifi1' 27 option dest 'wan' 28 29config zone 30 option name 'lan' 31 list network 'lan' 32 option input 'ACCEPT' 33 option output 'ACCEPT' 34 option forward 'ACCEPT' 35 36config zone 37 option name 'wan' 38 list network 'wan' 39 list network 'wan6' 40 option input 'REJECT' 41 option output 'ACCEPT' 42 option forward 'REJECT' 43 option masq '1' 44 option mtu_fix '1' 45 46config forwarding 47 option src 'lan' 48 option dest 'wan' 49 50config rule 51 option name 'Allow-DHCP-Renew' 52 option src 'wan' 53 option proto 'udp' 54 option dest_port '68' 55 option target 'ACCEPT' 56 option family 'ipv4' 57 58config rule 59 option name 'Allow-Ping' 60 option src 'wan' 61 option proto 'icmp' 62 option icmp_type 'echo-request' 63 option family 'ipv4' 64 option target 'ACCEPT' 65 66config rule 67 option name 'Allow-IGMP' 68 option src 'wan' 69 option proto 'igmp' 70 option family 'ipv4' 71 option target 'ACCEPT' 72 73config rule 74 option name 'Allow-DHCPv6' 75 option src 'wan' 76 option proto 'udp' 77 option src_ip 'fc00::/6' 78 option dest_ip 'fc00::/6' 79 option dest_port '546' 80 option family 'ipv6' 81 option target 'ACCEPT' 82 83config rule 84 option name 'Allow-MLD' 85 option src 'wan' 86 option proto 'icmp' 87 option src_ip 'fe80::/10' 88 list icmp_type '130/0' 89 list icmp_type '131/0' 90 list icmp_type '132/0' 91 list icmp_type '143/0' 92 option family 'ipv6' 93 option target 'ACCEPT' 94 95config rule 96 option name 'Allow-ICMPv6-Input' 97 option src 'wan' 98 option proto 'icmp' 99 list icmp_type 'echo-request' 100 list icmp_type 'echo-reply' 101 list icmp_type 'destination-unreachable' 102 list icmp_type 'packet-too-big' 103 list icmp_type 'time-exceeded' 104 list icmp_type 'bad-header' 105 list icmp_type 'unknown-header-type' 106 list icmp_type 'router-solicitation' 107 list icmp_type 'neighbour-solicitation' 108 list icmp_type 'router-advertisement' 109 list icmp_type 'neighbour-advertisement' 110 option limit '1000/sec' 111 option family 'ipv6' 112 option target 'ACCEPT' 113 114config rule 115 option name 'Allow-ICMPv6-Forward' 116 option src 'wan' 117 option dest '*' 118 option proto 'icmp' 119 list icmp_type 'echo-request' 120 list icmp_type 'echo-reply' 121 list icmp_type 'destination-unreachable' 122 list icmp_type 'packet-too-big' 123 list icmp_type 'time-exceeded' 124 list icmp_type 'bad-header' 125 list icmp_type 'unknown-header-type' 126 option limit '1000/sec' 127 option family 'ipv6' 128 option target 'ACCEPT' 129 130config rule 131 option name 'Allow-IPSec-ESP' 132 option src 'wan' 133 option dest 'lan' 134 option proto 'esp' 135 option target 'ACCEPT' 136 137config rule 138 option name 'Allow-ISAKMP' 139 option src 'wan' 140 option dest 'lan' 141 option dest_port '500' 142 option proto 'udp' 143 option target 'ACCEPT' 144 145config rule 146 option name 'Support-UDP-Traceroute' 147 option src 'wan' 148 option dest_port '33434:33689' 149 option proto 'udp' 150 option family 'ipv4' 151 option target 'REJECT' 152 option enabled 'false' 153 154config include 155 option path '/etc/firewall.user' 156 157config rule 158 option name 'Allow SSH' 159 option src 'wan' 160 option target 'ACCEPT' 161 option proto 'tcp' 162 option dest_port '22' 163 164config rule 165 option name 'Allow LuCI' 166 option src 'wan' 167 option target 'ACCEPT' 168 option proto 'tcp' 169 option dest_port '80 443' 170