openwrt_NSS_ACW/package/firewall/files/firewall.config

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT 
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	option input	ACCEPT 
	option output	ACCEPT 
	option forward	REJECT

config zone
	option name		wan
	option input	REJECT
	option output	ACCEPT 
	option forward	REJECT
	option masq		1 
	option mtu_fix	1

config forwarding 
	option src      lan
	option dest     wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family	ipv4

#Allow ping
config rule
	option src wan
	option proto icmp
	option icmp_type echo-request
	option target ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT 

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT 

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80 
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#	option src		wan
#	option dest		lan
#	option protocol		esp
#	option target		ACCEPT

#config rule
#	option src		wan
#	option dest		lan
#	option src_port		500
#	option dest_port	500
#	option proto		udp
#	option target		ACCEPT

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT 

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp