I think this bug has been here for a while but it's still 18.06.0.
With the following settings in /etc/config/firewall:
config defaults option syn_flood 1 option input ACCEPT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules # option disable_ipv6 1 config zone option name wan list network 'wan' list network 'wan6' option input DROP option output ACCEPT option forward DROP
This generates in both iptables and ip6tables the following issue:
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
Nothing drops in zone_wan_forward and it jumps to:
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
In zone_wan_dest_DROP we have:
-A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP -A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP
But this was a packet that came IN either eth0.2 and pppoe-wan WAN interfaces so it will never match the "-o" i.e. the output interface in these rules.
So the packet WON'T get dropped!
The only thing that will then save you here is the default FORWARD rule is REJECT for most people (hopefully).
I presume the correct rule should have been like the zone_wan_input:
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
i.e. the last line of zone_wan_forward should have been:
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_src_DROP
These rules are almost identical between IPv4 and IPv6 but it's more serious in IPv6, as internal hosts have real addresses so the inbound forwarding rule will be hit a lot.
In IPv4 most people will have NAT setups with a single IP on the external, so the FORWARD rule inbound is not really used (purely INPUT).