Need to change Accept INPUT in firewall zone


I upgrade all of my APs to 23.05, some ugrade from web interface and other reflashed with the image.

In the reflased devies I have this:


I need to change to ACCEPT to get remote management from Zerotier interface.

Is this secure? Why in the reflashed device is this configuration?

Thanks for your help.

Best regards.

There isn’t enough info here to tell you if it is safe or not. And we don’t know what exactly you had changed previously and how you performed the upgrade (not to mention versions before the upgrade ).

Let’s see the config files as a start:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

This is a change that makes things more secure. You shouldn't actually run anything in the default (no-zone) "zone" in any case. Create a zone for Zerotier:

config zone
        option name 'zerotier'
        list device 'ztxxxxxxxx'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule
        option name             Allow-SSH-Zerotier
        option src              zerotier
        option proto            tcp
        option dest_port        22
        option target           ACCEPT

The device name is hashed from your zerotier network number. Discover it with 'ip link show The name will be the same for any client on the same network and it will not change. You can also use the wildcard list device 'zt+' if you have only one Zerotier interface and no other names that start with zt.

Here I have rejected input by default and written an additional rule to allow SSH only. You could of course allow all input instead.

1 Like

Thanks both,

I will try with a new zerotier zone and stric ssh and https rules.

Best regards.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.