My firewall is passing traffic there aren't rules for, why?

My phone hasn't been able to connect to local servers for like a day, it was odd because they were fine. Using a network diagnostics app I checked my domains and they were resolving to the external addresses.

This is Android though, it does that annoying thing where if it can't contact Google, which is usually not welcome in some way or another (blocked on DNS, at L3, etc), it considers the network offline. I thought some of that was happening. However, it being able to resolve after turning off mobile data and still getting the external address pointed to encrypted DNS, which is supposed to be disabled on the device.

Regardless I did a capture on an access point and it was the first thing that popped into view. It would seem the phone is running a DoQ client, it's the only explanation I can come up with. But the thing is, I don't have rules for UDP traffic whatsoever.

In fact my ruleset at the most permissive is a range of hosts1 that hace access to TCP ports 880 and 443. Even these would normally be retricted by domain, ASN but: ipsets1.

All network services are local, including email. There really is no reason for more open ports. I wouldn't open TCP80 either if it weren't needed for CAs and those old websites that barely exist anymore.

There are no wide-ranging rulesets, zones are sort of used only because they're required for DNAT/PAT, but otherwise they're ignored and instead all rules are done from any zone to any zone with both target and source addresses. The default for input and forward traffic to reject it. Same is for every zone. No zone has the masquerade checkbox, instead there's a rule for it that species the only interface where it's needed.

Lastly, the zones, instead of targeting L3 interfaces, they target L2 constructs/devices, I don't know if that would be an issue.

How can the traffic slip by the firewall?? I really thought I had everything covered. :frowning:



ipset seems more work than "hand-made" rules, because they seem to have direction on their match, that means another set would be necessary for source/destination.
They're used on a different section from the core of the rule, making it ambiguous to what has precedence, and if there would be any conflict. I'm stuck manual rulesets for now.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall