[LEDE-DEV] firewall issue

Arjen de Korte arjen+lede at de-korte.org
Fri Aug 25 11:59:15 PDT 2017 

Citeren e9hack <e9hack at gmail.com>:

> Hi,
>
> my firewall configuration set the default forward policy to reject  
> and wan forward to drop.
>
> iptable -L -v
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target            prot opt in        out source   destination
>  330K  276M forwarding_rule     all -- any       any anywhere  
> anywhere         /* !fw3: user chain for forwarding */
>  325K  276M ACCEPT              all -- any       any anywhere  
> anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
>  3035  200K zone_lan_forward    all -- br-lan    any anywhere  
> anywhere         /* !fw3 */
>   483 21304 zone_wan_forward    all -- pppoe-wan any anywhere  
> anywhere         /* !fw3 */
>   167 10623 zone_guest1_forward all -- br-guest1 any anywhere  
> anywhere         /* !fw3 */
>             ...
>    34  2040 reject              all -- any       any anywhere  
> anywhere         /* !fw3 */
>
> Chain zone_wan_forward (1 references)
>  pkts bytes target            prot opt in  out source   destination
>   483 21304 forwarding_wan_rule all -- any any anywhere anywhere      
>           /* !fw3: user chain for forwarding */
>   483 21304 ACCEPT              all -- any any anywhere anywhere   
> ctstate DNAT /* !fw3: Accept port forwards */
>     0     0 zone_wan_dest_DROP  all -- any any anywhere anywhere      
>           /* !fw3 */
>
> Chain zone_wan_dest_DROP (9 references)
>  pkts bytes target            prot opt in  out       source   destination
>     0     0 DROP                all -- any pppoe-wan anywhere  
> anywhere     /* !fw3 */
>
> I expect, that the last line in zone_wan_forward is a drop rule with  
> 'out' set to 'any' and not 'out' set to
> 'pppoe-wan'. The same occurs for ipv6.

See https://bugs.lede-project.org/index.php?do=details&task_id=920.

Apparently this is intentional, but I agree with you this is  
unexpected. I ended up reverting  
https://git.lede-project.org/?p=project/firewall3.git;a=commit;h=91953d6a6e90df988f442f53097bd208784, which makes the default policy source bound again (instead of destination bound as it is now). Since the traffic enters the forward chains source bound, this will match all traffic that makes it to the last rule in the forward  
chains.

More information about the Lede-dev mailing list