NTP Server reachable, but firewall should reject - Works after reboot

Hi there,
i have a very basic question regarding the firewall.

I have a NTP Server running in my omnia. For my IoT Stuff i created a new interface IoT in a new Zone IoT.

This Zone has set
input und forward -> reject
output -> accept
forwardings -> none/reject
in firewall .

All changes were saved and applied.

The client in the IoT net can fetch time from NTP server on omnia. Why?
I have no further traffic rules for port 123. No custom rules either.

Now i restarted the omnia and the ntp requests are rejected as expected. How can that be possible? I noticed similar things in the past.