Firewall: rule to allow only incoming traffic for an host (please confirm it)

Hi experts,
I have an ip cam so I want to be sure that it doesn't connect automatically with some unknown cloud/external service that I dont manage, bypassing the router in some ways; the only traffic enabled should be that one inside the lan or from outside (I need to reach the cam, via VPN of course no public IP:ports).
So, via LUCI I added the following rule:
immagine
where the IP is that of the cam.
Is it right? It should block all traffic for every protocols from that IP to outside; at the same time, traffic starting from the opposite direction (wan => ip) should work... right?
Thanks!

ps: is there any way to check/monitoring the eventually outgoing traffic generated by this cam (the traffic I want to block)?

run tcpdump -i any host <IP Address> on the router will show all traffic.
You can also activate logging on the firewall rules that would show you either the allowed or blocked traffic in the logs.

https://forum.openwrt.org/t/keeping-webcam-isolated-on-guest-network-but-make-it-accessible-on-other-networks-with-homekit/

This is kind of the same question.

For verification the only real method there is is to watch the WAN traffic with Wireshark.

via LUCI? I will dig more the interface...

uhm, on the router itself, via console? Or using a Wireshark client on (f.e.) a windows machine? My cam is wired, there's should be some theoric and valid approach to drop all and only the traffic (generated) from it to outside....

Yes, in the Firewall in each Zone under "Advanced Settings" you have "enable logging on this zone".
Which then are shown under Status - System Log

I have used that for a couple of years. That does only show packages with some time filtering that fail the rule.
It doesn’t log data movements.

19.07 has port tapping in the switch. It is possible also on 21.02 but not easy for time being.

You can also use a managed switch to tap the WAN data to a computer with Wireshark.

I personally use a old router that I run the internet line through two unmanaged ports and then tap that data in the router switch to a interface that the scanning computer is connected to.

That is what the tcpdump command was for :wink:

With tcpdump, it seems there is some kind of outgoing traffic, how can I be sure it is blocked?

10:57:17.563901 ethertype IPv4, IP 172.16.1.123.41141 > ec2-3-65-115-23.eu-central-1.compute.amazonaws.com.9999: UDP, length 104
10:57:17.563901 IP 172.16.1.123.41141 > ec2-3-65-115-23.eu-central-1.compute.amazonaws.com.9999: UDP, length 104
10:57:17.563901 IP 172.16.1.123.41141 > ec2-3-65-115-23.eu-central-1.compute.amazonaws.com.9999: UDP, length 104

I put the following (or similar - this is a cut / paste from a backup :slight_smile:) into \etc\config\firewall.user (I think that is loaded automatically, but check):

iptables -N camera_kill_packets
iptables -F camera_kill_packets
iptables -A camera_kill_packets -j REJECT

iptables -A forwarding_rule -m mac --mac-source 00:aa:bb:cc:dd:ee -j camera_kill_packets

You can then see in the LUCI Status->Firewall how many packets are hitting the camera_kill_packets table, which gives confidence that it is working.