The motivation behind this is that I've produced a Smart-Home device using a Raspberry PI. For the terminally curious it's actually a meat roasting thermometer that reports the temp on a PC connected to the LAN.
It has no need to ever connect to the outside world, except in the unlikely event I update it. So for the vast majority of the time I want to block Internet traffic to and from this device. I have a firewall rule on the PI to block WAN traffic, i.e. anything outside the local subnet. While not really necessary, think of this in terms of "belt and suspenders". It's also a useful learning experience, which is my main reason for trying this.
I tried doing this once, to the best of my memory I added the following to "/etc/config/firewall"
config rule
option src_mac '01:23:45:67:89:ab'
option dest 'wan'
option name 'Block-Thermometer'
option target 'DROP'
The reason I say "to the best of my memory" is that applying this caused all connectivity to the router to fail, requiring a factory reset and reconfigure. Needless to say, the backup I'd made of the firewall config file was kinda useless at this point, since the whole thing got wiped with the factory reset.
Hence my reason for coming here to get help, I clearly don't know the exact incantation, and do not want to risk requiring a second reset.
Piggy-backing a second closely related question, I note that src_mac
is available, but as far as I can tell dest_mac
is not. Any ideas if this is the case, and if so why? And how might I block inbound traffic without having to resort to a static lease and dest_ip
?