From 39d6cd64381e8622c1ce9f4fc16590558eed9a0e Mon Sep 17 00:00:00 2001
From: Astro <Astro@wiki.c3d2.de/w>
Date: Wed, 8 Feb 2012 17:56:44 +0000
Subject: [PATCH] /* Firewall */ vollkommen anders

---
 Server%2Fratbert.mw | 106 ++++----------------------------------------
 1 file changed, 8 insertions(+), 98 deletions(-)

diff --git a/Server%2Fratbert.mw b/Server%2Fratbert.mw
index abee77b4..e4ab0e74 100644
--- a/Server%2Fratbert.mw
+++ b/Server%2Fratbert.mw
@@ -134,110 +134,20 @@ config wifi-iface
 
 
 === Firewall ===
-/etc/config/firewall :
+Crappy OpenWRT firewall disabled.
 
 <pre>
+root@ratbert:~# cat /etc/rc.local 
+# Put your custom commands here that should be executed once
+# the system init finished. By default this file does nothing.
 
-root@ratbert:/etc/config# cat firewall 
-config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT 
-	option forward		REJECT
-# Uncomment this line to disable ipv6 rules
-#	option disable_ipv6	1
-
-config zone
-	option name		lan
-	option network		'lan'
-	option input		ACCEPT 
-	option output		ACCEPT 
-	option forward		REJECT
-
-config zone
-	option name		wan
-	option network		'wan'
-	option input		REJECT
-	option output		ACCEPT 
-	option forward		REJECT
-	option masq		1 
-	option mtu_fix		1
-
-config forwarding 
-	option src      	lan
-	option dest     	wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
-	option name		Allow-DHCP-Renew
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-	option family		ipv4
-
-# Allow IPv4 ping
-config rule
-	option name		Allow-Ping
-	option src		wan
-	option proto		icmp
-	option icmp_type	echo-request
-	option family		ipv4
-	option target		ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
-config rule
-	option name		Allow-DHCPv6
-	option src		wan
-	option proto		udp
-	option src_ip		fe80::/10
-	option src_port		547
-	option dest_ip		fe80::/10
-	option dest_port	546
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
-config rule
-	option name		Allow-ICMPv6-Input
-	option src		wan
-	option proto	icmp
-	list icmp_type		echo-request
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	list icmp_type		router-solicitation
-	list icmp_type		neighbour-solicitation
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
-config rule                                   
-	option name		Allow-ICMPv6-Forward
-	option src		wan
-	option dest		*
-	option proto		icmp
-	list icmp_type		echo-request
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
+iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
+iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
+exit 0
 </pre>
 
+Wir hatten mal noch in der raw table NOTRACK zwischen LAN & WLAN...
 
 === DNSmasq ===
 Der combinierte DNS und DHCP Server dnsmasq ist in  /etc/config/dhcp so eingestellt: