WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUTOS default firewall rule frowards LAN->WAN regardless

0 votes
253 views 1 comments
by anonymous

Hello,

I am working on an industrial application and want to lock down the firewall as much as possible.

So first things, I set all optoins (except LAN input) in Firewall --> General and Firewall --> Zones to "Reject" and disabled all Traffic Rules.

Strangely, I can still ping the internet from inside the LAN.

Checking /etc/config/firewall:

config defaults

        option syn_flood '1'

        option flow_offloading '0'

        option auto_helper '0'

        option drop_invalid '1'

        option input 'DROP'

        option output 'DROP'

        option forward 'DROP'

config zone

        option name 'lan'

        option input 'ACCEPT'

        option masq '0'

        option mtu_fix '0'

        option conntrack '0'

        option log '0'

        option network 'lan'

        option output 'REJECT'

        option forward 'REJECT'

config zone

        option name 'wan'

        option input 'REJECT'

        option masq '1'

        option mtu_fix '1'

        option network 'wan mob1s1a1'

        option forward 'REJECT'

        option output 'REJECT'

config rule

        (all rules)

        option enabled '0'

The key is a final rule 

config forwarding

        option src 'lan'

        option dest 'wan'

That comes from the default "Inter-Zone-Forwarding", however does not get disabled when LAN->WAN Forwarding = Reject.

Furthermore, the "Inter-Zone-Forwarding" rule WAN->LAN does not result in an equivalent entry in /etc/config/firewall.

Does anyone know if this entry is legitimate or a bug in RUTOS?

It just seems strange, that all outputs and forwards can be rejected, and yet the internet is still reachable from inside the LAN.

1 Answer

0 votes
by anonymous
Good afternoon.

Thank you for your submission.

For test purposes, I assembled a scheme with this configuration, in which the firewall works correctly.

Specify the device model and software version.

Might be worth updating it.

Best Regards

Thank you.
by anonymous
Thanks,

I checked previous configurations on the RUT240 and the forward rule has always been there.

The configuration that works for me is to remove the above forward rule and allow only specific connections from inside the LAN via traffic rules.