This might be similar to the problem kattivius reported (Lost https web UI access) but I am choosing to start a new topic to avoid drawing the wrath of moderators. I also posted this to the IRC channel, but I think I might get more eyes here.
I am running openwrt in a vbox VM and have been doing so for over a year. It does work, but I wanted to see if I could kind of lock down the router somewhat more. I am trying this in openwrt 21.02.1 on a testing box; I don't use it for much except building packages and some debugging and testing different software configurations.
I decided to try DENY on all INPUT, including the management port of my openwrt router. Before doing so, however, I intentionally opened ports 22,53,123, and 443 so that I would still have access to the web ui, DNS, and SSH to the router. I also opened 123 thinking that SSL probably requires packet timing accuracy and I initially suspected that that might have been the source of my problem, described below. However, this did not quit the problem but I am leaving it open in further testing because it may help thwart packet timestamp issues.
After updating the router with this new configuration, I was able to access the LuCI (via https), and to continue working in an SSH shell on the router that I started prior to updating the router. I can ping the internet, and browse web sites.
After about a minute or so, I lost the web ui and I could not create a new SSH connection to the router even though the one I had opened continued to work without issue. I could continue browsing OTHER web sites and ping was happy to work virtually anywhere.
I think I am close to getting this to work, but I am wondering if anyone knows of any additional ports that need to be open, or possibly some configuration tuning that still needs to be done. I can't imagine what, but hopefully someone here knows of something I can try.
BTW, this is a really simple scenario anyone should be able to duplicate, given a spare box (possibly, though it should do the same on any hardware), virtualbox (as I haven't tried it with kvm), and a very, very simple interface configuration. No additional packages had to be installed. I used the stock image from the openwrt website. I created a separate management port, but using the LAN side should yield the same results.
Also, am I wrong to think that the configuration I am attempting could not possibly work? I'd think this is appropriate and would be well-supported. I don't think what I am doing is particularly radical, but I am still a bit green with networking and openwrt. After a year of working with it, I am still just learning stuff.
Sorry for being long in the tooth. I just wanted to supply enough information to be understood and hopefully receive some help with this. Thank you so much for any constructive feedback.
[EDIT]: I should also mention that, using the already-opened ssh session, I was able to see that uhttpd was still running, and I was able to access the rest of my local network as well as the Internet.
I was able to reproduce this scenario repeatedly by simply resetting the router's VM back to a snapshot I had created prior to munging with the router.
[EDIT2]: Forgot to also add that running tcpdump on the router while all INPUT is DENY'd does show ssh packets making it into the router. But there is no response from the router. I confirmed that dropbear continued to run, just as uhttpd was.