OpenWRT does not reject forbidden ssh access from other zone

I've installed OpenWrt 22.03.4 r20123-38ccc47687 on an Archer C2600.

I've defined the following zones with corresponding interfaces:

config zone
	option name 'adm'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'adm'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'ADM-SSH-DHCP-NTP'
	list proto 'tcp'
	list proto 'udp'
	option src 'adm'
	option dest_port '22 67 68 123'
	option target 'ACCEPT'

My intention is: only clients in the adm zone should have ssh access to the router. Therefore I use the following dropbear definition:

config dropbear
        option Port '22'
        option Interface 'adm'
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'

The output of netstat -tulpen | grep dropbear is

tcp   0   0*     LISTEN      30864/dropbear

Address range for adm interface ist (with router
Address range for lan interface ist (with router

But an access from a lan client is not rejected. Why? Logread says:

Mon Jun 26 19:23:16 2023 dropbear[31916]: Child connection from
Mon Jun 26 19:23:16 2023 authpriv.notice dropbear[31916]: Pubkey auth succeeded for 'root' with ssh-rsa key SHA256:TOP-SECRET from

Because the traffic crosses the router to the adm zone and the firewall doesn't inhibit the attempt.

You will find that this will fail: ssh from to

But this will work: to

This is because:

  • is in a different subnet, so ssh hits the default gateway: the router.
  • The router looks at the packet and says, "Where do I send this? Oh! It's to me! I don't need to send it anywhere else!"
  • The target IP address is the IP address of the interface in the adm zone.

If you put a corresponding rule in place to inhibit SSH from the LAN (or from anywhere you don't want it), then the unwanted attempts will fail.

config rule
        option name 'Stop SSH'
        list proto 'tcp'
        option src 'lan'
        option dest_port '22'
        option target 'REJECT'

The absence of a dest directive means that the destination is "this device", i.e. the router. You can see an illustration of this in the display of the firewall traffic rules in LuCI.

1 Like

According to netstat dropbear is just listening on (see my first posting). Is this information wrong?

Bother. You are right, and I was wrong. At least, my explanation was wrong. Apologies for that. It's late, and I'm tired, and I got the netstat output backwards. I will correct my earlier explanation lest anyone else stumble across it and be misled.

However, the fix is as I described: stick a rule in to stop SSH traffic crossing the router and landing at the interface in the permitted zone.

The reason that the lan client is not rejected is because input = accept on the lan zone.

When the ssh connection to arrives at the router from the network, the router determines that it holds the address in question. Because input is allowed on the lan firewall zone, the connection can be established, even though it would seem that it is a different subnet.

The above only affects the address of the listening interface, not the permissions on the firewall. It is the firewall that allows or denys the connection. If you do not specify the interface, dropbear will listen on all addresses associated with the router (including the wan... but don't freak out), but the firewall (input = reject/drop, or specific granular traffic rules on a given zone/network/host IP) is what prevents access from the wan or any unauthorized zones/networks/hosts.


Your proposed rule works. Thanks a lot.

1 Like

You're welcome. And apologies again for the prior confusion. Lack of sleep really does mess up my thinking...

Thanks a lot for your detailed explanation. Now I understand, why my previous rules did not work.

No problem, nobody is perfect. :wink:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.