config defaults
	option syn_flood	0
	option input		ACCEPT
	option output		ACCEPT
	option forward		DROP
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
	option masq		0
	option conntrack	1
	option mtu_fix		1

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		lan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		lan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user
    option reload 0

config include "fwreload"
	option path /etc/firewall-re.user
    option reload 1

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		lan
	option proto		udp
	option src_ip		fe80::/10
	option src_port		547
	option dest_ip		fe80::/10
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		lan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		lan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option family		ipv6
	option target		ACCEPT

config zone
	option name 'guest'
	list network 'guest'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Allow DNS Queries'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option name 'Allow DHCP request'
	option src 'guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'


