Hello, my question is more conceptual about basics of counters in firewall filter rules. I searched through the forum and documentation, and unfortunately didn’t find an obvious answer.
In my set-up I use a “whitelist” flavour of filter rules from local net to WAN, i.e. explicitly setting permissible rules while unconditionally dropping everything else at the end.
As a sanity check, I expected whatever count is reported in ‘passthrough forward’ upon connections to WAN (e.g. streaming video) to be reflected in the aggregate count in the forward rules (accept, drop) in the above 'closed' setup. But, I’m seeing a much higher traffic reported in the former than is captured in the latter set.
Barring erroneous rules setup, I was wondering, is there any reason traffic counted by ‘passthrough forward’, would not appear in the counts of the forward rules in the above set up, as intuitively, it suggests the firewall is implicitly allowing something through, bypassing the rules set. Is this an expected behaviour? If so, how would it be possible to inspect firewall state wrt to such connections bypassing the filter rules?
Thank you