Citeren e9hack <e9h...@gmail.com>:
Hi,
my firewall configuration set the default forward policy to reject
and wan forward to drop.
iptable -L -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
330K 276M forwarding_rule all -- any any anywhere
anywhere /* !fw3: user chain for forwarding */
325K 276M ACCEPT all -- any any anywhere
anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
3035 200K zone_lan_forward all -- br-lan any anywhere
anywhere /* !fw3 */
483 21304 zone_wan_forward all -- pppoe-wan any anywhere
anywhere /* !fw3 */
167 10623 zone_guest1_forward all -- br-guest1 any anywhere
anywhere /* !fw3 */
...
34 2040 reject all -- any any anywhere
anywhere /* !fw3 */
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
483 21304 forwarding_wan_rule all -- any any anywhere anywhere
/* !fw3: user chain for forwarding */
483 21304 ACCEPT all -- any any anywhere anywhere
ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_DROP all -- any any anywhere anywhere
/* !fw3 */
Chain zone_wan_dest_DROP (9 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any pppoe-wan anywhere
anywhere /* !fw3 */
I expect, that the last line in zone_wan_forward is a drop rule with
'out' set to 'any' and not 'out' set to
'pppoe-wan'. The same occurs for ipv6.
See https://bugs.lede-project.org/index.php?do=details&task_id=920.
Apparently this is intentional, but I agree with you this is
unexpected. I ended up reverting
https://git.lede-project.org/?p=project/firewall3.git;a=commit;h=91953d6a6e90df988f442f53097bd208784, which makes the default policy source bound again (instead of destination bound as it is now). Since the traffic enters the forward chains source bound, this will match all traffic that makes it to the last rule in the forward
chains.
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
