Hey
I'm using that rule above in a zone based firewall but I wanted to test what you said so I implemented ACL rules instead. Here's the rule sets and interfaces configured.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action drop
enable-default-log
rule 10 {
action accept
description "Allow established/related/new"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid"
log enable
protocol all
state {
invalid enable
}
}
}
name WAN_IN {
default-action drop
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid"
log enable
protocol all
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "WAN (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
}
mtu 1492
name-server auto
password xxx
user-id xxx
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description LAN1
duplex auto
firewall {
in {
name LAN_IN
}
}
speed auto
}I applied this configuration and rebooted the EdgeRouter, and now I'm making a post. I don't understand why a new HTTP connection was passed through those rules?