cross-posted to: https://sh.itjust.works/post/14114626
If the rule is about forwarding traffic from the lan
interface to the wan
interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan
to forward to REJECT
? I interperet that as saying that wan
doesn’t go anywhere, but that wouldn’t make sense given that the router can send, and receive over the internet.
For example I would interperet the first rule as follows:
lan => wan
: the conditions for which connections from thelan
interface are forwarded to to thewan
interface.Input: accept
: thelan
interface accepts all connections originating from the network (I wouldn’t understand the point of setting this to bereject
).Output: accept
: all connections exiting thewan
interface are accepted (again, I’m not sure what the point of this would be).Forward: accept
: forwarding of packets fromlan
towan
is allowed.- Masquerade: I honestly don’t know what the effect of enabling this would be. What would it mean to masquerade the
lan
interface?
I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn’t really answer any of my questions.
How does this work with the second rule? Wouldn’t any connection from the internet be a connection originating from another device within the
wan
zone (internet) with the router as the destination? The rule hasInput: reject
, but I would think that it should then beInput: accept
.Input means the packet stops at the router, like when you access its web ui. I don’t think you want to give the internet access to your router settings :)
Ah okay, so if
Output: accept
is still enabled, then, even thoughInput: reject
is set, the packet can still use the router as a hop in it’s journey to a device on the router’s network? It just can’t stop at the router? I guess that makes sense because the device on the routers network is addressed by a port which is a layer above the IP address, so it wouldn’t even have a notion of addressing the router unless it just specifies the raw IP.[EDIT (2024-02-08T00:21Z): Redacted this paragraph after re-reading this comment.]
Another thing that is confusing me is the setting forForward
. I would assume that if a packet is destined for a device on the router’s network, then that packet is being forwarded fromwan
tolan
, and ifMasquerading
is enabled, then the destination IP will be modified by the router. But, in the example image we have thatForward: reject
is set. How does the packet get forwarded between interfaces if forwarding is disabled?[EDIT (2024-02-08T00:21Z): Added the following quote, and response.]
How does the router differentiate between the two? If I remember correctly, nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?
[EDIT (2024-02-08T00:26Z): Added the following update.]
When I was looking through the settings for the second row, I came across the following setting:
I believe that this setting is accomplishing the behaviour that you described (not allowing connections from
wan
, but still allowing responses). Correct?