Hi all,
I encountered an Issue with Logging rejected Packets on which I am still not sure if it is due to a fault on my side.
My desired firewalling strategy is to Deny Everything from LAN to WAN by default and then selecively allow the outbound traffic I need. I prefer to reject packets for which there is no defined firewall rule instead of dropping them for the sake of better troubleshooting. The rejected packets should be logged if possible.
I achieved a "working" configuration (except logging) by removing the forwarding from LAN to WAN and set the default action for forwaring to REJECT.
I wonder if this is the correct way, or if I, for example, should keep the forwarding and instead set a DENY rule at the end of my ALLOW rules.
Here's a (reduced) output of my /etc/config/firewall:
config rule
option target 'ACCEPT'
option name 'Allow ping from LAN to WAN'
option src 'lan'
option src_ip '192.168.1.0/24'
option proto 'icmp'
option icmp_type 'echo-request'
option dest 'wan'
option family 'ipv4'
config rule
option target 'ACCEPT'
option name 'Allow ntp from LAN to WAN'
option src 'lan'
option proto 'udp'
option dest_port '123'
option family 'ipv4'
option src_ip '192.168.1.0/24'
option dest 'wan'
config rule
option target 'ACCEPT'
option name 'Allow ftp,http,https from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'tcp'
option dest_port '21 80 443'
option dest 'wan'
option family 'ipv4'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option log '1'
option network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '0'
option network 'wan wan6'
config include
option path '/etc/firewall.user'