Reject WAN zone input traffic?

Input traffic would be someone from the internet trying to access some server running on your router, e.g SSH or HTTP.
The response of a web server in the internet to some host in your lan classifies as forward traffic at first and not new, but related to a previous outgoing packet (from the lan host to the internet server) which was allowed, hence the response is also allowed.

Input and output mean traffic destined to the router or originating from the router.
The forwarding rule covers traffic traversing the router from one zone to another.

Correct, but different rules apply when the packets traverse the router and when they originate or end up to the router.

2 Likes