config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT 
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
	option disable_ipv6	1

config zone
	option name		lan
	option network		'lan'
	option input		ACCEPT 
	option output		ACCEPT 
	option forward		REJECT

config zone
	option name		wifi_sta
	option network		'wifi_sta'
	option input		ACCEPT
	option output		ACCEPT 
	option forward		REJECT

#config forwarding 
#	option src      	lan
#	option dest     	wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108

#config rule
#	option src		wifi_sta
#	option proto		udp
#	option dest_port	68
#	option target		ACCEPT
#	option family		ipv4

# Allow IPv4 ping
#config rule
#	option src		wifi_sta
#	option proto		icmp
#	option icmp_type	echo-request
#	option family		ipv4
#	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
#config rule
#	option src		wan
#	option proto		udp
#	option src_ip		fe80::/10
#	option src_port		547
#	option dest_ip		fe80::/10
#	option dest_port	546
#	option family		ipv6
#	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
#config rule
#	option src		wan
#	option proto	icmp
#	list icmp_type		echo-request
#	list icmp_type		destination-unreachable
#	list icmp_type		packet-too-big
#	list icmp_type		time-exceeded
#	list icmp_type		bad-header
#	list icmp_type		unknown-header-type
#	list icmp_type		router-solicitation
#	list icmp_type		neighbour-solicitation
#	option limit		1000/sec
#	option family		ipv6
#	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
#config rule                                   
#	option src		wan
#	option dest		*
#	option proto		icmp
#	list icmp_type		echo-request
#	list icmp_type		destination-unreachable
#	list icmp_type		packet-too-big
#	list icmp_type		time-exceeded
#	list icmp_type		bad-header
#	list icmp_type		unknown-header-type
#	option limit		1000/sec
#	option family		ipv6
#	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT 

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT 

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80 
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#	option src		wan
#	option dest		lan
#	option protocol		esp
#	option target		ACCEPT

#config rule
#	option src		wan
#	option dest		lan
#	option src_port		500
#	option dest_port	500
#	option proto		udp
#	option target		ACCEPT

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT 

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
