Input accept in firewall means the device will have access to all subnets (if I am trying to access the router)?

I am trying to understand if this is intentionally implemented just because of ease of use, or if I am missing something.

I have noticed that having allow for input in the firewall zone settings, for a zone that covers only a given network (subnet), means that I can access the router through all subnets, despite my firewall settings not allowing anything else to be accessed (which works nicely).

Say I am on subnet 192.168.5.x, if I have accept input in the firewall settings for the zone that covers my 192.168.5.x subnet, I can access 192.168.1.1, 192.168.2.1 and so on, for all available subnets, as long as I am trying to access the router.

I just wondered why is it not limited to only the subnet you are firewalled in, even though it probably makes no real-world difference, since even if I had two routers for example, the access would've been denied since the subnet would not exist in the current router's range.

To summarize, how I though it should work:

  1. You create a firewall zone which covers a given network, a network which covers a given subnet, say 192.168.5.x.

  2. Only by going to 192.168.5.1 you can access the router, if I were to go to 192.168.3.1, I wouldn't be able to access it.

How it currently work:

  1. Is the same.

  2. I visit 192.168.3.1, and I cannot access the router since I am trying to access from a different subnet.

Input allows access to the router itself, but not to other networks. The additional addresses you have shown are all addresses that the router itself holds... so it responds accordingly if input is allowed.

It's like if you're known as Coach Timothy Smith. You might be called Tim, Mr. Smith, Timothy, Coach... you'll respond to all of them.

To be clear, the access to the router is only allowed when you are connecting from a network/zone that allows input. Any networks/zones that do not allow access to the router (i.e. input set to reject or drop) will not be able to reach the router at any of the addresses.

This doesn't present any security issues insofar as the specific network/zone doesn't have access to the other networks/zones. However, you could craft firewall rules that reject the traffic to those destination addresses. It is unnecessary, IMO, but can be done.

2 Likes

yeah, I know that it doesn't pose risks, but of course there is one router and it's not a subdomain, but instead the subdomain creator so to say (among other things), so it makes sense for it to be accessed from any subnet that allows access to it, if that makes sense.

But I just wondered if this was an additional implementation for ease of use, or if other firewalls by default have this behavior.

If you're talking about other router/firewall firmware/OS's, I can't say for certain the details of which ones do and don't present the same behaviors.

I just tested and I can tell you that Unifi (which is not zone based) does behave similarly for this detail. I am on my main lan and I can ping the router's address on that lan as well as it's addresses on the guest and other networks. But that said, I do allow my lan to initiate connections towards those other networks, so maybe not a complete answer here.

Similar to @psherman comment difficult to say for all firewalls but I would suggest that many enterprise type firewalls probably allow you to control this by binding processes to interfaces. In a similar way that OpenWrt allows you to bind SSH access to which ever zone interface you specify.

I would guess probably an ease of use implementation

See the input rule like access to a county administration building.

If input is allowed you can freely from a zone visit all the administration services like city planning office and road office and water/waste office.

If the input is rejected all these offices are locked and you must have special permission to visit each and every office. That special permission is in the firewall called input rules to specific ports for defined network sources, this access permission can be given to a specific device, multiple devices or a complete interface.

But it is one thing to read about it.

You can pretty easy set up a mini network with 3 different computers and 2 different VLAN/interfaces/fw zones.

And from there test input, output and forward functions and test the rules between the three computers and the router.