
config 'defaults'
	option 'syn_flood' '0'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'drop_invalid' '1'
        option 'synflood_rate' '200'
        option 'synflood_burst' '500'
        option 'tcp_ecn' '1'

config 'zone'
	option 'name' 'secure'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'network' 'se00 sw00 sw10 gw00 gw01 gw10 gw11'

config 'zone'
	option 'name' 'wan'
	option 'input' 'REJECT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'masq' '0'
	option 'mtu_fix' '1'
	option 'network' 'ge00'

config 'rule'
	option 'src' 'secure'
	option 'proto' 'udp'
	option 'dest_port' 'bootpc'
	option 'target' 'ACCEPT'
	option 'family' 'ipv4'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'icmp'
	option 'icmp_type' 'echo-request'
	option 'target' 'ACCEPT'
	option 'family' 'ipv4'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'icmp'
	option 'target' 'ACCEPT'
	option 'family' 'ipv6'

config 'include'
	option 'path' '/etc/firewall.user'

config 'forwarding'
	option 'dest' 'wan'
	option 'src' 'secure'

config 'forwarding'
	option 'dest' 'secure'
	option 'src' 'secure'

config 'forwarding'
	option 'dest' 'secure'
	option 'src' 'wan'

config 'rule'
        option 'src' 'secure'
        option 'proto' 'icmp'
        option 'target' 'ACCEPT'
        option 'family' 'ipv6'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '80 53 433 873'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'port' 'domain ntp'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'secure'
        option 'proto' 'tcp'
        option 'dest_port' '80 53 433 873'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'secure'
        option 'proto' 'udp'
        option 'dest_port' 'domain ntp'


