6 Апреля, 2012

Hardering OpenWRT firewall

zabiyakod
root@OpenWrt:/# vi /etc/config/firewall

config defaults
option syn_flood 1
option input DROP
option output DROP
option forward DROP
# Uncomment this line to disable ipv6 rules
option disable_ipv6 1

config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward DROP

config zone
option name wan
option network 'wan'
option input DROP
option output ACCEPT
option forward DROP
option masq 1
option mtu_fix 1

config forwarding
option src lan
option dest wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target DROP

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
или введите имя