Hello,
I am working on an industrial application and want to lock down the firewall as much as possible.
So first things, I set all optoins (except LAN input) in Firewall --> General and Firewall --> Zones to "Reject" and disabled all Traffic Rules.
Strangely, I can still ping the internet from inside the LAN.
Checking /etc/config/firewall:
config defaults
option syn_flood '1'
option flow_offloading '0'
option auto_helper '0'
option drop_invalid '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option masq '0'
option mtu_fix '0'
option conntrack '0'
option log '0'
option network 'lan'
option output 'REJECT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan mob1s1a1'
option forward 'REJECT'
option output 'REJECT'
config rule
(all rules)
option enabled '0'
The key is a final rule
config forwarding
option src 'lan'
option dest 'wan'
That comes from the default "Inter-Zone-Forwarding", however does not get disabled when LAN->WAN Forwarding = Reject.
Furthermore, the "Inter-Zone-Forwarding" rule WAN->LAN does not result in an equivalent entry in /etc/config/firewall.
Does anyone know if this entry is legitimate or a bug in RUTOS?
It just seems strange, that all outputs and forwards can be rejected, and yet the internet is still reachable from inside the LAN.