[Solved] Firewall rule being bypassed/ignored?

[Solved] TP-Link Archer C7 v4
OpenWrt 22.03.3 r20028-43d71ad93e

I created a firewall rule to prevent a device from connecting to the wan . Here is the rule:

config rule
         option name 'HS200StudioOutsideBlock'
         option dest 'wan'
         list src_mac '02:0F:B5:EE:9B:F1'
         option src '*'
         option target 'REJECT'
         list src_ip ''

However I see this

ipv4 2 tcp 6 7242 ESTABLISHED src= dst= sport=51072 dport=50443 packets=8 bytes=930 src= dst= sport=50443 dport=51072 packets=1 bytes=44 [ASSURED] mark=0 zone=0 use=2

What am I missing here ?

The source zone is wildcard and doesn't apply the rule to the correct order. Add the correct src zone and it will be working.

The rule is fine, just tested locally here and it works as expected.

@pluffmud - the firewall will not cut already established connections when applying the rule initially, see if it becomes effective after an echo f > /proc/net/nf_conntrack

Also note that without any specified proto, the rule will default to tcp and udp but not icmp or other protocols. I suggest to add an explicit option proto all as well.

1 Like

Explicitly setting the src zone to be 'LAN' seems to have made it work . I dont understand why because 'LAN" is in the set of 'ANY" zone is it not ? Perhaps I am misinterpreting what the option src '*'
is doing

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.