Tue Apr 06, 2021 6:01 pm
What is important to understand is that the default firewall rules let you work out of the box safely.
The input chain rules are for traffic to and from the router from LAN or Internet (think changing router configuration or accessing router services (DNS, NTP, IPSEC, etc.....).
The forward chain is pretty much anything across the router (to and fro internet from LANS, LAN to LAN etc...).
The default rules work on the premise of drop a whole bunch of potentially unsafe traffic and then let everything else flow. This means that the rules are basically allow everything you have not specifically disallowed. To do this they have one funky rule in the input chain and one funky rule in the forward chain. These rules can be confusing and basically perform duplicate functions within a single rule.
However with minimal changes one can change the rule method too one of -> block everything and only allow what I specifically state. This is much easier for the admin to articulate as I know what traffic I want but I have no idea of the types of traffic I want to block so a blanket block simply works!.
In the forward chain this rule is
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Which basically states drop all coming from the WAN (headed to the LAN) except for any traffic that is intended for port forwarding and everything else whatever it may be is allowed!
So this is a great broad brush rule to stop traffic coming in from the WAN but for example does nothing to block any unwanted LAN to LAN traffic at Layer 3, such as vlan to vlan or subnet to subnet traffic, so one would have to add additional rules to block such traffic OR if you didnt want subnet to Internet traffic (lan to wan)(, as that is not blocked either.
I dont like multiple rules within a rule and rules should be clear...... So split the two above into two rules, and then add a third rule for internet access.
add action=allow chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN {can disable if not port forwarding}
add action=allow chain=forward comment="allow lan to wan traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop comment="drop all else"
In this manner you have 1 rule that deals specifically with port forwarding to allow it (or not and disable it) and one rule to allow LAN to WAN traffic.
The last rule blocks all other traffic, whether you know what that traffic may look like or not, examples are it blocks all WAN to LAN traffic, it blocks all Lan subnet traffic to LAN subnet traffic.
AS MKX stated, once you start understanding the rules and how they affect traffic flow you can make changes to allow the traffic you need. YOu can ignore the good ideas club on youtube, I would say for at least 2 years LOL. Then you may wish to start trying stuff.