[Solved] Firewall rule being bypassed/ignored?

pluffmud · January 26, 2023, 2:23pm

[Solved] TP-Link Archer C7 v4
OpenWrt 22.03.3 r20028-43d71ad93e

I created a firewall rule to prevent a device from connecting to the wan . Here is the rule:

config rule
         option name 'HS200StudioOutsideBlock'
         option dest 'wan'
         list src_mac '02:0F:B5:EE:9B:F1'
         option src '*'
         option target 'REJECT'
         list src_ip '10.10.10.218'

However I see this

ipv4 2 tcp 6 7242 ESTABLISHED src=10.10.10.218 dst=34.236.119.131 sport=51072 dport=50443 packets=8 bytes=930 src=34.236.119.131 dst=64.203.231.3 sport=50443 dport=51072 packets=1 bytes=44 [ASSURED] mark=0 zone=0 use=2

What am I missing here ?

trendy · January 26, 2023, 2:31pm

The source zone is wildcard and doesn't apply the rule to the correct order. Add the correct src zone and it will be working.

jow · January 26, 2023, 2:50pm

The rule is fine, just tested locally here and it works as expected.

@pluffmud - the firewall will not cut already established connections when applying the rule initially, see if it becomes effective after an echo f > /proc/net/nf_conntrack

Also note that without any specified proto, the rule will default to tcp and udp but not icmp or other protocols. I suggest to add an explicit option proto all as well.

pluffmud · January 26, 2023, 3:14pm

Explicitly setting the src zone to be 'LAN' seems to have made it work . I dont understand why because 'LAN" is in the set of 'ANY" zone is it not ? Perhaps I am misinterpreting what the option src '*'
is doing

system · February 5, 2023, 3:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.