Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.
Is there a working replacement OS for Ubiquiti PoE switches?
It’s not like it doesn’t already have a firewall built into it.
When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.
* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.
eth0_out affects traffic leaving the ER on eth0
eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”
In this case you would put the rule on eth0_out, not eth0_local.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT rule 300 action drop
set firewall name WAN_OUT rule 300 description 'block 188.8.131.52'
set firewall name WAN_OUT rule 300 destination address 184.108.40.206
set firewall name WAN_OUT rule 300 protocol all
set interfaces ethernet eth0 firewall out name WAN_OUT
The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.