Firewall rules order

I've recently switched over my good old PC Engines Alix board over to OpenWrt (19.07.08), and so far so good. However, I just noticed something unexpected with the firewall rules order. I've got quite a few zones (WAN, LAN, DMZ, Management, IoT and Guest) with potentially more on the way. Most zones' Input and Forward default actions are set to drop or reject.

Now I want to for example allow Ping to and from the router itself, bidirectional between most zones as well, and just have one or two zones restricted. I thought I could reduce the exploding number of required rules and rely on their order, with something along these lines:

  • accept Ping from any to device
  • accept Ping from device to any
  • accept Ping from DMZ to WAN
  • reject Ping from DMZ to any
  • accept Ping from any to any

That does not work, however. The iptables output that fw3 produces has rules with "any to any zone" early in the FORWARD chain, before it jumps to the zone-specific chains like zone_dmz_forward. So although I ordered my rules from most specific to most general, the final "accept any to any" is placed first. Similar issue arises with "from any" and "to any" rules and the INPUT and OUTPUT chains.

Is there a reason why fw3 would place more general rules earlier in the chain? This seems very illogical to me.

And probably more important, is there an alternative approach I could use to get the results I'd like with fw3, without having to spell out almost (n*n)/2 individual rules for the different single zone to single zone combinations?

Should anyone stumble upon this thread with similar issues, for the moment I placed my more specific rules into the custom "firewall.user" script as a workaround, as the custom chains are evaluated before most other rules.

I still don't get why fw3 would place very general "from/to any zone" rules before its own zone chains with their more specific rules, but I guess it is what is is. :neutral_face: