#默认参数表#
config defaults
option syn_flood 1 #开启防洪水攻击
option input ACCEPT
option output ACCEPT
option forward REJECT #拒绝转发
option disable_ipv6 1
#域#
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1 #传输伪装,如果是 WAN 口必须为 1
option mtu_fix 1 #MTU 的MSS 钳制,如果是WAN口请为1
#A zone section groups one more interfaces and serves
#as a source or destination for forwardings, rules and
#redirects. Masquerading (NAT) of outgoing traffic is
#controlled on a per-zone basis.
#转发#
config forwarding
option src lan
option dest wan
#规则#
#accept udp packets on port 68
config rule
option name Allow-DHCP-Renew
option src wan
option ptoto udp
option dest_port 68
option target ACCEPT
option family ipv4
#allow ipv4 ping
config rule
option name Allow-ping
option src wan
option ptoto icmp
option icmp_type echo-requset
option target ACCEPT
option family ipv4
#allow DHCPv6 replies
config rule
option name Allow-DHCPv6
option src wan
option ptoto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option target ACCEPT
option family ipv6
#重定向#
#port rediract port coming in on wan to lan
config redirect
option src wan
option src_dport 80
option dest lan
option dest_ip 192.168.1.123
option dest_port 80
option proto tcp
#port redirect of remapped ssh port (22001) on wan
config redirect
option src wan
option src_dport 22001
option dest lan
option dest_port 22
option proto tcp
#the 9020 port is forwarded to the 80 terminal of a server in the Intranet
config redirect
option name 9020-80
option proto tcp
option src wan
option src_dport 9020
option dest lan
option dest_ip 192.168.1.100
option dest_port 80
#隔离区#
#为了解决安装防火墙后外部网络不能访问内部网络服务器的问题,
而设立的一个非安全系统与安全系统之间的缓冲区,这个缓冲区位
于企业内部网络和外部网络之间的小网络区域内,在这个小网络区
域内可以放置一些必须公开的服务器设施,如企业Web服务器、FTP
服务器和论坛等。
另一方面,通过这样一个DMZ区域,更加有效地保护了内部网络,因
为这种网络部署,比起一般的防火墙方案,对攻击者来说又多了一
道关卡。
端口映射与DMZ的区别在于:端口映射只是映射指定的端口,DMZ相
当于映射所有 的端口,并且直接把主机暴露在网关中,比端口映射
方便但是不安全。
#the following rule redirects all WAN ports for all protocols to the internal host
config redirect
option src wan
option proto all
option dest_ip 192.168.1.2
openwrt防火墙
最新推荐文章于 2023-10-29 16:12:01 发布