Code: Select all
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp in-interface-list=WAN log=no log-prefix=""
3 X ;;; wireguard
chain=input action=accept protocol=udp dst-port=13231 log=no log-prefix=""
4 X ;;; allow wireguard traffic
chain=input action=accept src-address=10.1.222.0/24 log=no log-prefix=""
5 X ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
6 X ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
8 X ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 X ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
11 X ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
13 X ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""