What happens behind the scenes when firewall settings are unspecified? (v23.05)

When you leave the Firewall Settings as "unspecified" for an interface in LuCI (LuCI > Network > Interfaces > Firewall Settings > "unspecified"), what's actually happening behind the scenes?

According to DSA Mini-tutorial "That interface MUST be associated with a firewall zone (or rules) to accept input". But in practice, it seems like the input chain is still allowing connections because I can access the router through that interface.

EDIT:
Does it fallback to a default rule in /etc/config/firewall or something similar?

Zone default is reject all? Global default (interface not in zone) is applied on unassigned interface.
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like

Okay, thanks! That clears everything up. I guess the dsa-mini-tutorial is a bit misleading when it says 'must'. :grinning:

By default for v23.05, the /etc/config/firewall just rejects forwarding so I guess that's the main reason you don't need the firewall zone in the initial setup of the router.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
1 Like

Default of defaults here. You can safely change reject to drop tu quiet it down a bit.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.