Topic: Firewall rule won't work

The content of this topic has been archived on 2 Sep 2014. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

mattventura

7 Jul 2014, 04:49

I'm trying to make it so that traffic from my HE ipv6 tunnel won't be routed onto my internal network. As far as I can tell, its firewall zone is not allowed to forward to my lan zone, and I even created a rule for all traffic from he:0.0.0.0/0 to lan:0.0.0.0/0:* to DROP the traffic. Yet I can still ping and connect to LAN systems from an external server. Here's my rules:

Pastebin of /etc/config/firewall here

Only custom rule is one to allow the tunnel itself to be connected (iptables -A INPUT -p 41 -i eth0 -j ACCEPT). It's running a somewhat outdated version of OpenWRT (10.03.1-RC6) but I wouldn't think that would prevent the firewall from blocking properly.

Post #2

mattventura

7 Jul 2014, 18:29

Ugh, changing it to reject forwarding on HE worked, even though it clearly says that the blanket forwarding rule is for different networks within that zone.

Post #3

qasdfdsaq

7 Jul 2014, 18:37

Yeah but you explicitly overrode the default rule with an ACCEPT for the same thing.

config 'zone'
        option 'name' 'he'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'he'
        option 'input' 'REJECT'
        option 'conntrack' '1'

Which is going to take precedence over the default rule...

(Last edited by qasdfdsaq on 7 Jul 2014, 18:38)

Post #4

mattventura

7 Jul 2014, 20:20

But isn't that linked to the Input/Output/Forward controls on luci? I'm talking about the ones in the row for that zone/on the zone page. Seems like a misleading tooltip if so.

The discussion might have continued from here.

Page 1 of 1