Community discussions

 
formerandroider
just joined
Topic Author
Posts: 14
Joined: Thu Aug 15, 2019 5:18 pm
Location: UK
Contact:

Default firewall config query

Sat Aug 17, 2019 1:26 am

Hi,

I'm curious as to how the [icode]defconf: drop all not coming from LAN[/icode] and [icode]defconf: drop all from WAN not DSTNATed[/icode] firewall rules interact - surely the latter (which is placed as the last rule) will never be reached, as any WAN packets will have been dropped by the former? Or do the NAT rules change the source interface (which doesn't sound correct)?

Or is it expected that one will be disabled over the other? I understand the router at an intermediate level, but that specific default configuration is confusing me.

Liam
 
anav
Forum Guru
Forum Guru
Posts: 3097
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Default firewall config query

Sat Aug 17, 2019 5:18 pm

I prefer.
Drop all as a last rule and if I need port forwarding on the LAN side I make a specific rule for that.
much clearer for all.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4783
Joined: Mon Apr 20, 2009 9:11 pm

Re: Default firewall config query  [SOLVED]

Sat Aug 17, 2019 7:14 pm

Notice the chains where those rules are. In default config, "drop all not coming from LAN" is in chain=input and "drop all from WAN not DSTNATed" is in chain=forward. Input is for traffic to router (e.g. to some service running on in, WinBox, etc) and forward is for traffic passing through router. So these two rules don't really interact, it's one or the other.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
formerandroider
just joined
Topic Author
Posts: 14
Joined: Thu Aug 15, 2019 5:18 pm
Location: UK
Contact:

Re: Default firewall config query

Sat Aug 17, 2019 8:23 pm

Ah, so the one on the INPUT chain only blocks access to the router from the WAN, but not to other destinations travelling via the router. Makes sense now, thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 5912
Joined: Mon Jun 08, 2015 12:09 pm

Re: Default firewall config query

Sat Aug 17, 2019 8:39 pm

I always sort the firewall rules so that first all the forward rules appear and then all the input rules. makes things a lot clearer.
But of course while manually sorting them (moving them around using the mouse within the listed rules), you must keep the sequence within the same chain the same as it is now.

Who is online

Users browsing this forum: No registered users and 24 guests