Default firewall filter rules

Eduardo · August 22, 2016, 7:47pm

Hi,

When using Quick Set to setup the CRS125 as a “Home AP”, I get these default firewall filter rules:

(I am using a PPPoE connection to my ISP via port1)

Question 1: Why are rules 6 and 7 identical?

Question 2: Are these fine? Or should I add more or different rules to be more safe?

Question 3: How can it be that rule 8 is sometimes used? Because rule 6 and 7 are accepting everything (without any conditions), how can rule 8 ever be executed (even having the PPPoE condition)? Probably I understand this wrong…

Thanks!

ZeroByte · August 22, 2016, 8:46pm

Rules 6 and 7 are probably not identical. There are more conditions than the ones shown in the list.
You can edit each rule (double click them) and look at each tab to see all of the conditions.

A rule matches and the action is taken if and only if ALL conditions in the other tabs are true.
Obviously rules 6 and 7 have some criteria that aren’t shown in order for some packets to make it through to rule 8 and get dropped.

Also - you need to edit rule 4 and change in-interface to be pppoe-out1

Eduardo · August 22, 2016, 8:58pm

Right! Rule 6 has the “connection state: established”, and rule 7 the “connection state: related” condition.

Thanks, also for the rule 4 correction. So all the rest is safe like this?

ZeroByte · August 22, 2016, 9:22pm

The default firewall is a basic:
Allow anything you request, block anything unrequested.
This is fine for most people.