Firewall4 configuration

As of snapshot changing to (build: switch to firewall4 by default), I noticed changing wan zone "reject" to "drop" and ping "accept" to "drop" no longer produces "stealth mode." The GRC website test shows ports as closed, but not stealth.

Without getting into a religious discussion on stealth mode benefits or lack thereof, is this still possible using different input with firewall4? This is what used to work:

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

I also noticed it is not possible to configure forwarding from the luci firewall menu for new zones, but if I do it manually in /etc/firewall - like this:

config forwarding
        option src 'gst'
        option dest 'wan'

the luci firewall configuration page shows the change has been made. It's just that clicking the "Edit" button beside the forwarding on the luci page does nothing (except generate a null error message at the top of he screen).

ICMP Ping needs to be disabled.

Changing 'ACCEPT' to 'DROP' in:
option target 'DROP'
in the configuration of the rule I posted above has always disabled ping replies with iptables/firewall3.

Are you saying nftables/firewall4 now ignores "DROP" as an option and the entire rule now needs to be deleted in order to disable ping replies?

Snapshot is fixed as of r18717-0e32c6baf3. Specifying DROP now works as expected and the GRC test indicates stealth mode.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.