Created
February 14, 2018 17:23
-
-
Save milankragujevic/c3cf904203c3cd77504c6ac008dcf8c6 to your computer and use it in GitHub Desktop.
firewall configuration for dual WAN loadbalancing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config defaults | |
| option syn_flood 1 | |
| option input ACCEPT | |
| option output ACCEPT | |
| option forward REJECT | |
| config zone | |
| option name lan | |
| list network 'lan' | |
| option input ACCEPT | |
| option output ACCEPT | |
| option forward ACCEPT | |
| option masq 1 | |
| option mtu_fix 1 | |
| config zone | |
| option name wan | |
| list network 'wan' | |
| list network 'wan2' | |
| option input REJECT | |
| option output ACCEPT | |
| option forward REJECT | |
| option masq 1 | |
| option mtu_fix 1 | |
| config forwarding | |
| option src lan | |
| option dest wan | |
| config rule | |
| option name Allow-DHCP-Renew | |
| option src wan | |
| option proto udp | |
| option dest_port 68 | |
| option target ACCEPT | |
| option family ipv4 | |
| config rule | |
| option name Allow-Ping | |
| option src wan | |
| option proto icmp | |
| option icmp_type echo-request | |
| option family ipv4 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-IGMP | |
| option src wan | |
| option proto igmp | |
| option family ipv4 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-DHCPv6 | |
| option src wan | |
| option proto udp | |
| option src_ip fc00::/6 | |
| option dest_ip fc00::/6 | |
| option dest_port 546 | |
| option family ipv6 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-MLD | |
| option src wan | |
| option proto icmp | |
| option src_ip fe80::/10 | |
| list icmp_type '130/0' | |
| list icmp_type '131/0' | |
| list icmp_type '132/0' | |
| list icmp_type '143/0' | |
| option family ipv6 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-ICMPv6-Input | |
| option src wan | |
| option proto icmp | |
| list icmp_type echo-request | |
| list icmp_type echo-reply | |
| list icmp_type destination-unreachable | |
| list icmp_type packet-too-big | |
| list icmp_type time-exceeded | |
| list icmp_type bad-header | |
| list icmp_type unknown-header-type | |
| list icmp_type router-solicitation | |
| list icmp_type neighbour-solicitation | |
| list icmp_type router-advertisement | |
| list icmp_type neighbour-advertisement | |
| option limit 1000/sec | |
| option family ipv6 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-ICMPv6-Forward | |
| option src wan | |
| option dest * | |
| option proto icmp | |
| list icmp_type echo-request | |
| list icmp_type echo-reply | |
| list icmp_type destination-unreachable | |
| list icmp_type packet-too-big | |
| list icmp_type time-exceeded | |
| list icmp_type bad-header | |
| list icmp_type unknown-header-type | |
| option limit 1000/sec | |
| option family ipv6 | |
| option target ACCEPT | |
| config rule | |
| option name Allow-IPSec-ESP | |
| option src wan | |
| option dest lan | |
| option proto esp | |
| option target ACCEPT | |
| config rule | |
| option name Allow-ISAKMP | |
| option src wan | |
| option dest lan | |
| option dest_port 500 | |
| option proto udp | |
| option target ACCEPT | |
| config include | |
| option path /etc/firewall.user |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment