Page 1 of 1

Default firewall config query

Posted: Sat Aug 17, 2019 1:26 am
by formerandroider
Hi,

I'm curious as to how the [icode]defconf: drop all not coming from LAN[/icode] and [icode]defconf: drop all from WAN not DSTNATed[/icode] firewall rules interact - surely the latter (which is placed as the last rule) will never be reached, as any WAN packets will have been dropped by the former? Or do the NAT rules change the source interface (which doesn't sound correct)?

Or is it expected that one will be disabled over the other? I understand the router at an intermediate level, but that specific default configuration is confusing me.

Liam

Re: Default firewall config query

Posted: Sat Aug 17, 2019 5:18 pm
by anav
I prefer.
Drop all as a last rule and if I need port forwarding on the LAN side I make a specific rule for that.
much clearer for all.

Re: Default firewall config query  [SOLVED]

Posted: Sat Aug 17, 2019 7:14 pm
by Sob
Notice the chains where those rules are. In default config, "drop all not coming from LAN" is in chain=input and "drop all from WAN not DSTNATed" is in chain=forward. Input is for traffic to router (e.g. to some service running on in, WinBox, etc) and forward is for traffic passing through router. So these two rules don't really interact, it's one or the other.

Re: Default firewall config query

Posted: Sat Aug 17, 2019 8:23 pm
by formerandroider
Ah, so the one on the INPUT chain only blocks access to the router from the WAN, but not to other destinations travelling via the router. Makes sense now, thanks!

Re: Default firewall config query

Posted: Sat Aug 17, 2019 8:39 pm
by pe1chl
I always sort the firewall rules so that first all the forward rules appear and then all the input rules. makes things a lot clearer.
But of course while manually sorting them (moving them around using the mouse within the listed rules), you must keep the sequence within the same chain the same as it is now.