Firewall is not blocking

bahtsiz_bedevi · March 1, 2023, 10:54am

config rule
        list dest_ip '13.107.42.12'
        option name '1drv.ms'
        option dest 'wan'
        list src_mac 'XX:XX:XX:XX:XX:XX'
        list src_mac 'XX:XX:XX:XX:XX:XX'  # mine
        option target 'REJECT'
        list proto 'all'
        option src 'lan'

Why is this rule not blocking requests from XX:XX:XX:XX:XX:XX to 13.107.42.12 ?

root@router:~# /etc/init.d/firewall status
active with no instances

EDIT 1: For some reason it's blocking now I swear it wasn't blocking... I'll test it further

EDIT 2:
After restarting router, firewall is working, requests are blocked. Why is a blocking rule requires restarting the router?

lleachii · March 1, 2023, 11:38am

They don't - but they do require reloading of the firewall.

bahtsiz_bedevi · March 1, 2023, 11:40am

issued root@router:~# /etc/init.d/firewall reload and firewall rule is still not working

lleachii · March 1, 2023, 11:42am

What about /etc/init.d/firewall restart?
Also, is this active/current traffic you're monitoring; or new traffic after applying?

bahtsiz_bedevi · March 1, 2023, 12:00pm

After /etc/init.d/firewall restart firewall starts working with a bit delay (30s-1min)

But If I remove my MAC address from the firewall rule and save, firewall allows my MAC immediately, /etc/init.d/firewall restart is not required.

bahtsiz_bedevi · March 1, 2023, 12:05pm

@lleachii
I have a time restricted firewall rule.
What's the point of having a time restricted firewall rule if firewall is applied on new connections?
Wouldn't someone be able to connect to internet forever as long as they use the same connection?

lleachii · March 1, 2023, 12:11pm

(TCP and UDP connections have a timeout timer.)
Also note - There is a concept of Established and Related connections in the firewall - so a current connection at restart of the firewall would already be Established and hence, allowed

bahtsiz_bedevi · March 1, 2023, 12:15pm

So a client eventually(after TCP or UDP timeout) will be blocked when time restriction firewall rule begins?

lleachii · March 1, 2023, 12:18pm

Yes.

(My bad, I thought that part was already explained/understood.)

BTW, it doesn't matter that it's a time rule - it seems the observation you're experiencing is because of your noting existing Established/Related connections during your test.

system · March 11, 2023, 12:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.