I'm trying to make my firewall work in "allow-only" mode so that it would reject everything except the rules I put into "Traffic Rules" tab on LUCI.
But I have noticed no matter what (input-output-forward) I disable for any zone (General Settings, LAN to WAN, WAN) my LAN stilll has connection to outside (without DNS I believe) without me making any exception rules. Default rules are also deleted.
You can see that I tried disabling almost everything on the screenshot.
I can advise you to keep the firewall on output as accept (as if you put it as reject you are limiting all the outgoing connections of your router).
For example if my lan were to allow only web traffic I would have to operate in the forward chain.
I would reject forward and then add a rule to allow web traffic (port 80 and 443).
If the web requests are from a client connected to the router
the resolution from www.google.com to 142.250.74.228
would happen on the router. And then the client connects (forward) to the resolved ip address.