I already have a default "drop" rule for all new connections incoming on eth1; I verified I could not do DNS lookups from the WAN side.Make sure you deny DNS requests from outside. In filter rules make an input deny rule for TCP/UDP on port 53
Sent from my Lenovo K50a40 using Tapatalk