Hello community,
I would like to know if the syntax and the behavior I want to achieve is correct.
Behavior : block a list of IPs (using IPSET) on the 443 PORT.
Syntax :
config rule
option name 'rejectIPlist'
option ipset 'listIps'
option src '*'
option dest_port '443'
option proto 'tcp'
option dest '*'
option target 'REJECT'
option family 'ipv4'
option enabled '1'
The rule option dest_port '443' is a bit unclear to me. My device make a request from the LAN to the WAN with destination 443 as port and also to one of these ip from the ip list.
When the answer to the query "come back", it becomes the rule which can block it should use src_port '443'?
Rather than making two rules "just in case" I to get a better understanding, first
MAC address is a link layer, while communication outside of your broadcast domain requires network layer address aka IP address.
In general you can't use MAC address filter on WAN interface.
If you need external management and want to provide appropriate level of security, consider set up a VPN.
I found an example on the Open WRT wiki where they use a mac address for filtering SSH connection and REJECT them but I think it's because the link of the mac address is done with an IP while applying the configuration. By the way, the example I put is working
It would work; but be mindful you cannot use MACs for WAN IPs that are not the ISP's far end equipment - since only that machine is physically connected to your router.
Since the MAC you blocked is on LAN (and connected physically to the router via Layer 2), it worked.
If you can access the service from the internet then anyone can do the same.
If your ISP changes the upper level router the rule will not work.
So, relying on MAC address in case of WAN interface is not wise.