Wiki recommends the use of the following firewall settings :
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input in-interface=ether2 src-address=192.168.0.0/24 comment="From our LAN" action=accept
What if these two lines are replaced with action=drop ?
Can someone explain the consequences for each line ?
The first line allows UDP packets, regardless of who sends them, who they’re targeted at, and where they’re coming from or to.
Replacing this with action=drop would disable any and all UDP packets that go over the router. Therefore, any application that uses UDP will fail to connect if it needs to pass through your router. It should go without saying that UDP traffic between local devices should still work. AFAIK, DNS uses UDP on port 53, so unless you whitelist that, you’re “breaking the internet” from users’ point of view.
The second line allows any and all traffic coming from the interface ether2 (which is hopefully the private facing interface) that also happens to come from an IP address that is from your LAN, regardless of what protocol it connects with.
Replacing this with action=drop would mean that if such an IP tries to go through that interface, it will fail. It can still connect over at another interface though, just not this one. Also, other IPs can still connect from that interface… basically, your public interface should probably have this rule with action=drop as a security precaution, though be aware that if your local interface fails, you won’t be able to instantly replace it with one that was previously public, but will have to fist somehow adjust this setting.
Thanks
I have action=drop for UDP traffic in my router’s rules for more than a year, and I have not noticed any problem when my computers surf the internet.
What kind of problem could occur with such a rule, out of curiosity ?
Like I said - applications using UDP will fail.
Some DNS resolvers use UDP, but apparently, none in your network.
Other applications using UDP include some multi-player games, Microsoft SQL replicator service, and a few more I can’t recall… nothing particularly popular anyway, which is why you haven’t yet experienced any issues.
strange, some devices behind the nat use sip protocol in UDP mode for connecting to an asterisk server on the internet, and it works perfectly.