
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan'
	option family 'ipv4'

config zone
	option name 'wan6'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan6'
	option family 'ipv6'
	option output 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'wan6'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'wan6'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'wan6'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'wan6'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'Plex'
	option src_dport '8080'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'
	option dest_port '32400'

config redirect
	option dest_port '222'
	option src 'wan'
	option src_dport '222'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'
	option name 'NAS ssh'

config redirect
	option dest_port '8081'
	option src 'wan'
	option name 'NAS web'
	option src_dport '8081'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'

config redirect
	option dest_port '4430'
	option src 'wan'
	option name 'NAS openvpn'
	option src_dport '4430'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'

config redirect
	option dest_port '9981-9982'
	option src 'wan'
	option name 'NAS TVheadend'
	option src_dport '9981-9982'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'NAS Traeffik'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '192.168.1.100'
	option dest 'lan'

