I don’t quite follow… Du you suggest that i narrow down my firewall rules by selecting an interface? I have other routers conneted to all interfaces of this device, and will want LDP to work for all of them.
I have the allow TCP 646 output firewall rule on top of my list, and the counter is still on zero. It looks like there is really nothing leaving my router destined to port TCP 646 anywhere. The input rule for TCP 646 counts vigorously. LDP works like a charm…
I don’t have specific LDP knowledge, but it is normal that when you have TCP rules with a dest-port they only match in one direction.
The other direction is typically matched by an “established” rule further up the chain.
Remember TCP connections are normally made with a random source port number to a fixed destination port number, and so the
replies in the other direction are from a fixed source port number (the service port) to a random destination port number.
Just checked. LDP, unlike ISAKMP f.e., using random source port and 646 as destination. That’s why you can’t see the counters in rules. Also you can use “torch” for traffic sniffing and see TCP ports.
The use of a fixed source AND destination port is typically seen only with UDP, not with TCP.
When you would want to restrict the output (output chain is usually left empty…) you would have to match on the source port at the service side.