cross-posted to: https://sh.itjust.works/post/14114626

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn’t go anywhere, but that wouldn’t make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

  • lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
  • Input: accept: the lan interface accepts all connections originating from the network (I wouldn’t understand the point of setting this to be reject).
  • Output: accept: all connections exiting the wan interface are accepted (again, I’m not sure what the point of this would be).
  • Forward: accept: forwarding of packets from lan to wan is allowed.
  • Masquerade: I honestly don’t know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn’t really answer any of my questions.

  • Kalcifer@sh.itjust.worksOP
    1·
    2 years ago

    Input means packets originating from another device within this zone with the router as the destination.

    How does this work with the second rule? Wouldn’t any connection from the internet be a connection originating from another device within the wan zone (internet) with the router as the destination? The rule has Input: reject, but I would think that it should then be Input: accept.

    • Victoria@lemmy.blahaj.zone
      1·
      2 years ago

      Input means the packet stops at the router, like when you access its web ui. I don’t think you want to give the internet access to your router settings :)

      • Kalcifer@sh.itjust.worksOP
        1·
        2 years ago

        Input means the packet stops at the router

        Ah okay, so if Output: accept is still enabled, then, even though Input: reject is set, the packet can still use the router as a hop in it’s journey to a device on the router’s network? It just can’t stop at the router? I guess that makes sense because the device on the routers network is addressed by a port which is a layer above the IP address, so it wouldn’t even have a notion of addressing the router unless it just specifies the raw IP.

        [EDIT (2024-02-08T00:21Z): Redacted this paragraph after re-reading this comment.]Another thing that is confusing me is the setting for Forward. I would assume that if a packet is destined for a device on the router’s network, then that packet is being forwarded from wan to lan, and if Masquerading is enabled, then the destination IP will be modified by the router. But, in the example image we have that Forward: reject is set. How does the packet get forwarded between interfaces if forwarding is disabled?

        [EDIT (2024-02-08T00:21Z): Added the following quote, and response.]

        When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.

        How does the router differentiate between the two? If I remember correctly, nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

        [EDIT (2024-02-08T00:26Z): Added the following update.]

        nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

        When I was looking through the settings for the second row, I came across the following setting:

        I believe that this setting is accomplishing the behaviour that you described (not allowing connections from wan, but still allowing responses). Correct?