532910
October 26, 2024, 12:39pm
1
I have myzone with forward 'DROP' policy:
config zone
option name 'myzone'
option network 'myzone'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
While manual insertion works as expected:
# nft insert rule inet fw4 drop_to_myzone log prefix \"MYzone_REJECT \"
permanent rule does nothing:
config include
option type 'nftables'
option path '/etc/firewall_myzone_log.nft'
option position 'chain-pre'
option chain 'drop_to_myzone'
# cat /etc/firewall_myzone_log.nft
log prefix "MYzone_REJECT "
Hot should I add a permanent firewall rule to log all dropped packages?
brada4
October 26, 2024, 12:41pm
2
Add a final rule for zone with 'return' target and
option log '1'
1 Like
532910
October 26, 2024, 12:56pm
3
hot to add a 'rule for zone'?
Zone forward is between interfaces in a zone and you have only one interface in your zone so that rule is pretty useless in a single interface zone.
2 Likes
532910
October 26, 2024, 4:15pm
5
Damn right! That's why I see tcp resets in tcpdump! I should read wiki more carefully. Do you know, how to set DROP policy for the forwards between zones? I could only come up with:
config rule
option name 'myzone-DROP'
option src 'myzone'
option dest 'wan'
option target 'DROP'
What have you set the global rules to?
Inter zone data isn’t allowed to begin with unless you have allowed it with a forward rule, like the forward lan to wan rule.
But they aren’t really rules, they are simply called forward in the config.
1 Like
532910
November 12, 2024, 4:54am
7
Setting global to DROP make forward drop instead of reject, exactly as I wanted.
Thank you!