Reject/drop explained on Youtube

Golffies · October 15, 2021, 8:42am

This Youtube description of the firewall settings in LuCI is very helpful; it helps to understand the zone logic of the GUI.

However, the author's explanation of the "forward" parameter did not convince me. For him, in LuCI, it doesn't matter if "forward" is set to "accept" or "reject/drop", because it only opens or closes traffic between vlans gathered under the same zone, but does not necessarily block traffic between vlans in different zones.

So for example, according to the screens he shows, for his "guest" vlan he leaves "forward" on "reject", even though he wants "guest" to be able to exit to the "wan" internet. And he says it works.

It seems counter-intuitive, and on a similar configuration, with LuCI 21.252, I couldn't reproduce this operation: on the contrary, in my case, as soon as "forward" is set to "reject", the vlan is isolated, even though in the left part of the screen you would have correctly defined the name of the other vlan(s) to which the forwarding would be desired.

Each of the links to the video has a different timecode.

Is he trying to explain a subtlety I'm missing, or is it a mistake in his presentation?

The search engine that suggests discussions similar to the content of the post being written is very effective. This post seems to answer my question. I'll have to test it again to make me convinced that I'm getting the same result.

In practice, if we have several machines in the DMZ, each in its vlan, and we want to prohibit dialogue between them, there is no need to create a different zone for each vlan, it is enough to apply the same zone to all the interfaces attached to these vlans, and to select "forward" "reject" ?

jaromanda · October 15, 2021, 8:49am

onemarcfifty's videos are fundamentally OK - but - he does get some subtle nuances wrong at times, also, I think you may have misunderstood some of what he did say

Golffies · October 15, 2021, 8:57am

That's the purpose of my post: to receive comments from experienced users who could tell me if the author of the video "got some subtle nuances wrong that time" or if I "may have misunderstood some of what he did say".

You have summed up the issue well. Thank you for your input.

jaromanda · October 15, 2021, 9:02am

I am going through that info to see if I can clarify some of his mistakes

Mistake is probably too harsh a word - I think it's more a case of "mistranslation" - his videos have helped me recently

I won't be going through them now though, it's 8pm here, so if nobody else clarifies, I hope to have something tomorrow for you

trendy · October 15, 2021, 10:29am

Forward and Forwardings are two different things.
Forward as you said applies to all the interfaces that belong to the same zone. In case of one interface per zone, it doesn't make any difference obviously.
Forwardings now are regulating the inter-zone traffic. So if you want to allow forwarding from guest to wan, so that the guest hosts have internet access, then you need to create it. By default the inter-zone forwardings are all dropped.
Drop silently discards packets. Reject notifies the source about the discard. Prefer REJECT, it is way better when troubleshooting.

Golffies · October 19, 2021, 10:25am

Thank you for your explanation.

I can see the same thing in my tests: the only traffic that the "forward = reject/drop" parameter blocks is the traffic between the different machines of my DMZ, each one present on a distinct interface (and subnet), but all grouped together in the single "dmz" zone.

This example refers to the DMZ, but it is only a special case. It would be the same for any other interfaces grouped under the same zone. Simply, the practical example for which this "forward - reject/drop" parameter finds an application for me, is to forbid the machines of the DMZ to talk to each other.

system · October 29, 2021, 10:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.