Firewall does not accept REJECT

I have the default policy in the Network / Firewall / section set to DROP.

I changed to REJECT:


but Status / Firewall still shows DROP:


Via CLI: iptables -S also shows -P INPUT DROP

CLI command: iptables -P INPUT REJECT returns iptables: Bad policy name. Run dmesg 'for more information`

iptables -P INPUT ACCEPT
iptables -P INPUT DROP
works correctly
Why only REJECT doesn’t work?

Firewall and TO reboots completed.
Tested on TO 5.1.9

1 Like

reject can not be used as a chain policy.

1 Like

Thanks for the clarification!
I thought my firewall was broken :wink:

But that means LUCI is misleading.
This is confusing and the REJECT option should not be visible in the settings :frowning:

Can I still ask you for help, where is the best place to add my own rules to block incoming traffic from the Internet?

I would like to add for example:
-A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG
-A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP (or -j RETURN)

Add to main chain INPUT or input_rule or input_wan_rule or to zone_wan_input ?

why not stay with the equivalent

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'


  1. It was just an example and I want to make my -j LOG rules more detailed.
  2. I don’t want REJECT, I prefer DROP (prefer not to have to respond to floods of scans).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.