I've recently switched over my good old PC Engines Alix board over to OpenWrt (19.07.08), and so far so good. However, I just noticed something unexpected with the firewall rules order. I've got quite a few zones (WAN, LAN, DMZ, Management, IoT and Guest) with potentially more on the way. Most zones' Input and Forward default actions are set to drop or reject.
Now I want to for example allow Ping to and from the router itself, bidirectional between most zones as well, and just have one or two zones restricted. I thought I could reduce the exploding number of required rules and rely on their order, with something along these lines:
- accept Ping from any to device
- accept Ping from device to any
- accept Ping from DMZ to WAN
- reject Ping from DMZ to any
- accept Ping from any to any
That does not work, however. The iptables output that fw3 produces has rules with "any to any zone" early in the FORWARD chain, before it jumps to the zone-specific chains like zone_dmz_forward. So although I ordered my rules from most specific to most general, the final "accept any to any" is placed first. Similar issue arises with "from any" and "to any" rules and the INPUT and OUTPUT chains.
Is there a reason why fw3 would place more general rules earlier in the chain? This seems very illogical to me.
And probably more important, is there an alternative approach I could use to get the results I'd like with fw3, without having to spell out almost (n*n)/2 individual rules for the different single zone to single zone combinations?