FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12677 questions

15062 answers

24126 comments

47075 members

0 votes
105 views 1 comments
by

Hello,

I am working on an industrial application and want to lock down the firewall as much as possible.

So first things, I set all optoins (except LAN input) in Firewall --> General and Firewall --> Zones to "Reject" and disabled all Traffic Rules.

Strangely, I can still ping the internet from inside the LAN.

Checking /etc/config/firewall:

config defaults

        option syn_flood '1'

        option flow_offloading '0'

        option auto_helper '0'

        option drop_invalid '1'

        option input 'DROP'

        option output 'DROP'

        option forward 'DROP'

config zone

        option name 'lan'

        option input 'ACCEPT'

        option masq '0'

        option mtu_fix '0'

        option conntrack '0'

        option log '0'

        option network 'lan'

        option output 'REJECT'

        option forward 'REJECT'

config zone

        option name 'wan'

        option input 'REJECT'

        option masq '1'

        option mtu_fix '1'

        option network 'wan mob1s1a1'

        option forward 'REJECT'

        option output 'REJECT'

config rule

        (all rules)

        option enabled '0'

The key is a final rule 

config forwarding

        option src 'lan'

        option dest 'wan'

That comes from the default "Inter-Zone-Forwarding", however does not get disabled when LAN->WAN Forwarding = Reject.

Furthermore, the "Inter-Zone-Forwarding" rule WAN->LAN does not result in an equivalent entry in /etc/config/firewall.

Does anyone know if this entry is legitimate or a bug in RUTOS?

It just seems strange, that all outputs and forwards can be rejected, and yet the internet is still reachable from inside the LAN.

1 Answer

0 votes
by
Good afternoon.

Thank you for your submission.

For test purposes, I assembled a scheme with this configuration, in which the firewall works correctly.

Specify the device model and software version.

Might be worth updating it.

Best Regards

Thank you.
by
Thanks,

I checked previous configurations on the RUT240 and the forward rule has always been there.

The configuration that works for me is to remove the above forward rule and allow only specific connections from inside the LAN via traffic rules.