Firewall does not accept REJECT

Tomov · February 8, 2021, 4:58pm

I have the default policy in the Network / Firewall / section set to DROP.

I changed to REJECT:

but Status / Firewall still shows DROP:

Status

Via CLI: iptables -S also shows -P INPUT DROP

CLI command: iptables -P INPUT REJECT returns iptables: Bad policy name. Run dmesg 'for more information`

iptables -P INPUT ACCEPT
iptables -P INPUT DROP
works correctly
Why only REJECT doesn’t work?

Firewall and TO reboots completed.
Tested on TO 5.1.9

jose.d · February 9, 2021, 7:02pm

reject can not be used as a chain policy.

http://lists.netfilter.org/pipermail/netfilter/2003-March/043187.html

Tomov · February 10, 2021, 2:11pm

Thanks for the clarification!
I thought my firewall was broken

But that means LUCI is misleading.
This is confusing and the REJECT option should not be visible in the settings
policy_reject

Tomov · February 10, 2021, 2:39pm

Can I still ask you for help, where is the best place to add my own rules to block incoming traffic from the Internet?

I would like to add for example:
-A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG
-A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP (or -j RETURN)

Add to main chain INPUT or input_rule or input_wan_rule or to zone_wan_input ?

jose.d · February 11, 2021, 12:15pm

why not stay with the equivalent

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

Tomov · February 11, 2021, 12:44pm

Because:

It was just an example and I want to make my -j LOG rules more detailed.
I don’t want REJECT, I prefer DROP (prefer not to have to respond to floods of scans).

system · February 14, 2021, 12:44pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.