I have some firewall rules that conflict with each other, and I thought that whichever rule was higher in the list would take priority, but that does not seem to be the case. I am trying to allow traffic between two IP address lists on UDP port 666. The VLAN isolation rules prevent traffic between IP address lists, but they are lower in the chain. As I send the UDP payload across the network, I can see the count increasing on the firewall rule for VLAN isolation, and my packets are never being delivered. Does anyone know what I am doing wrong, or could this be a bug? Rule number 5 and 10 are the conflicting rules.
In general it should be straightforward and there should be no conflict between rules. If there is, then your rule structure needs work!
The best approach IMHO is to ensure the USER initiated rules ONLY ALLOW permitted traffic. Clean and simple.
The last rule in the Forward Chain (or Input Chain for that matter) should be DROP ALL ELSE.
So in general.....
Forward Chain
{Default Rules -
fastrack
allow established, related
drop invalid packets}
User Rules (examples):
allow vlan x to internet
allow vlan y to internet
allow admin user (IP address) access to all vlans
allow users in vlan x to a shared printer located in vlanY
Last Rule:
add=forward chain action=drop comment="Drop all else"
Should ensure all traffic at layer 3, that is not explicitly allowed in the user rules will be dropped.
IN summary all your vlan drop rules - get rid of them not required.
I would like a better explanation of the other entities - god, wifi remote and all the entries to the right......... event horizon etc.
And mixing ports and vlans in rules is also bizarre.
What is your subnet structure.........?
A complete posted config would be helpful.