
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option family 'ipv4'
	option network 'wan'

config zone
	option name 'wanipv6'
	option network 'wan6'
	option output 'ACCEPT'
	option family 'ipv6'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wanipv6'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wanipv6'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wanipv6'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wanipv6'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'Forward-SMTP25'
	option src_dport '25'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config redirect
	option src 'wan'
	option name 'Forward-HTTP80'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config redirect
	option src 'wan'
	option name 'Forward-IMAP143'
	option src_dport '143'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config redirect
	option src 'wan'
	option name 'Forward-HTTPS443'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config redirect
	option src 'wan'
	option name 'Forward-SUBMISSION587'
	option src_dport '587'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config rule
	option src 'wanipv6'
	option dest 'lan'
	list dest_ip '2001:470:1f13:620::2'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv6'
	option name 'Allow-IPv6-Mail-25'
	option dest_port '25'

config rule
	option dest_port '80'
	option src 'wanipv6'
	option name 'Allow-IPv6-Mail-80'
	option target 'ACCEPT'
	option family 'ipv6'
	option dest 'lan'
	list proto 'tcp'
	list dest_ip '2001:470:1f13:620::2'

config rule
	option src 'wanipv6'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'tcp'
	option name 'Allow-IPv6-Mail-143'
	option dest_port '143'
	option family 'ipv6'
	list dest_ip '2001:470:1f13:620::2'

config rule
	option dest_port '443'
	option src 'wanipv6'
	option name 'Allow-IPv6-Mail-443'
	option family 'ipv6'
	option target 'ACCEPT'
	option dest 'lan'
	list proto 'tcp'
	list dest_ip '2001:470:1f13:620::2'

config rule
	option dest_port '587'
	option src 'wanipv6'
	option name 'Allow-IPv6-Mail-587'
	option target 'ACCEPT'
	list dest_ip '2001:470:1f13:620::2'
	option dest 'lan'
	list proto 'tcp'
	option family 'ipv6'

config rule
	option dest_port '56718'
	option name 'Allow-Wireguard-Input'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'


