The manual has some recommended firewall settings for an ISP and I'm curious about a couple.
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
Questions
The first here, does it not prevent me either on a vpn or connected over the network from accessing devices on the network?
The second, dropping incoming packets that aren't natted.... does that not drop packets destined for the router itself from the outside - ie vpn access to the router?