Hacker News new | past | comments | ask | show | jobs | submit login

You actually can't* use the firewall to prevent a USG or EdgeRouter from phoning home as the WAN_LOCAL rules only apply to inbound traffic.

* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.

“eth0_in affects traffic entering the ER on eth0 that gets forwarded to somewhere behind the ER

eth0_out affects traffic leaving the ER on eth0

eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”

In this case you would put the rule on eth0_out, not eth0_local.

Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.

Just now I verified with the following partial ruleset on a EdgeRouter I have in production:

  set firewall name WAN_OUT default-action accept
  set firewall name WAN_OUT rule 300 action drop
  set firewall name WAN_OUT rule 300 description 'block'
  set firewall name WAN_OUT rule 300 destination address
  set firewall name WAN_OUT rule 300 protocol all
  set interfaces ethernet eth0 firewall out name WAN_OUT
Devices behind that ER can no longer communicate with, but the ER itself can.

The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact