Am 15.12.2017 um 18:03 schrieb Eric Romano: > The "input" option of your LAN zone is set to ACCEPT. This means that > any traffic to the interface ip address(es) of that zone will be > allowed unless otherwise blocked by a rule. > > It's not obvious but zone forwarding rules only for traffic forwarded > on behalf of clients on the network, not for traffic to and from the > router itself.
This seems not to be correct. On my router exist some other interfaces, which are not forwarded to the lan too. From such an interfaces is no access to the lan possible. I add to tun and some other interfaces a logging rule to the beginning of INPUT and OUTPUT chain. For all interfaces with exception of tun, I see only packages which have SRC and DST address from the same network. For tun interface, the INPUT chain shows also packages with SRC=10.8.x.x and DST=192.168.z.z and for the OUTPUT chain vice versa. Finally, I change the default rule for lan INPUT to REJECT and add all necessary rules for the lan interface explicitly with exception of port 80 and 443. Now I've no access from lan to the web interface, but I've still access to it over the tun interface. Something seems to be broken in the network area. Regards, Hartmut _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
