How to reject everything except HTTPS and DNS on forwarding from WAN to LAN

How do I go about rejecting everything except HTTPS and DNS on forwarding from WAN to LAN and in the opposite direction too. I want a very secure LAN. So I just want DHCP on the LAN and DNS and HTTPS accessible from the internet.

From wan > lan, everyhthing is normally blocked except for returning traffic that is related to stuff that was initiated by devices on the lan.

If you want to limit your lan devices to only enable https access out to the internet, you can remove the forwarding from lan > wan, and then add a rule that accepts destination port 443 for source zone lan and destination zone wan. Same for port 53 (DNS), or just handle DNS locally on your router (that is the default config with DHCP advertising the router as the local DNS server). Keep in mind that this may break a lot of things, and it may actually not protect you since you can still get malware on your computer that comes from a site that is https enabled and/or uses command & control servers that operate with port 443.

Thanks, can I do this with the UI ? Are there multiple configurations or can I enable and disable rules with a tickbox so I can just put things back easily by selecting the default configuration ?

Yes I am well aware of malware issues.

Yes, this can all be done with the LuCI web interface under the firewall section. You can enable/disable rules easily with a checkbox. The zone forwardings need to be added/removed -- simple, but not as easy as a checkbox.

There aren't really multiple configurations, although you could always use the command line to script changes or maintain 2 different copies of the config file and swap them back and forth.

Okay great, thanks a lot I will have a play.

Sorry where is the config file please ? So I can make a backup.

/etc/config/firewall

I have done backup and restore as two custom commands :wink: