As of snapshot changing to (build: switch to firewall4 by default), I noticed changing wan zone "reject" to "drop" and ping "accept" to "drop" no longer produces "stealth mode." The GRC website test shows ports as closed, but not stealth.
Without getting into a religious discussion on stealth mode benefits or lack thereof, is this still possible using different input with firewall4? This is what used to work:
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
...
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
I also noticed it is not possible to configure forwarding from the luci firewall menu for new zones, but if I do it manually in /etc/firewall - like this:
config forwarding
option src 'gst'
option dest 'wan'
the luci firewall configuration page shows the change has been made. It's just that clicking the "Edit" button beside the forwarding on the luci page does nothing (except generate a null error message at the top of he screen).