If I want to block TCP port 135, both incoming and outgoing what's the simplest way of doing it on LUCI?
[Openwrt terms (forwarding! forward! input! output!) are confusing like hell, I've read all about them but still. So don't give me links to read. I'm just gonna say "incoming and outgoing" and you know what I mean! It means any possible way you can imagine!]
I think you need three rules to block input, output and forward. If you don't like the way you configure rules then you might use Custom Rules with shell scripting and ip(6)tables, or you could replace the firewall with something else altogether.
You need to learn the concept of zones, it's what dictates your rules.
So if you're trying to block a client from establishing an outbound connection to port 135 (A client in your LAN to a server on the internet):
source zone: LAN, source port any, destination zone: WAN, destination port 135.
And in the other direction would be (covered by default for LAN/WAN in OpenWRT unless you explicitly allow it in another rule, or modify your default zone settings for Input/Ouput/Forward):
source zone: WAN, source port any, destination zone: LAN, destination port 135.
Regardless of what you choose to do, after you setup your firewall rules make sure to run a port scan (with nmap or another port scanning tool) to check if you've actually blocked traffic flow. Make sure to scan in both directions, from the client to the server and vice versa. Sometimes you don't need to initiate a full connection to cause damage, single packets can be enough.
Thanks for the detailed response. I have the simplest network, just lan and wan so I should never worry about forwarding? But that amazing dinkie donkie called forwarding is active from LAN to WAN.
Also I think I can improve the rules you've given:
source zone: ANY, source port 135, destination zone: ANY, destination port ANY.
source zone: ANY, source port ANY, destination zone: ANY, destination port 135.
Blocking ipv6 on the router firewall will only block traffic to and from the internet. It won't prevent local machines trying to connect to reach other by ipv6.
If it's the former you want to do then just disabling the wan6 interface should do it.