Reply To: Block acces from outside to management page

#52632

mountainman
Participant

I’m unclear on thie too.

ETH00 (192.168.0.75) is my WAN interface, ETH01 (192168.1.1) and ETH02 (192168.2.1) are the LAN side. I currently have the ETH00 of the ZS box connected to an upstream wifi router on the 192.168.0.xxx subnet, and another wifi AP connected to ETH01. This is for testing; ultimately ETH00 will be connected directly to a satellite modem at another location.

I created 3 firewall rules:

1 	ETH01 	* 	ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 	no
2 ETH02 * ACCEPT all opt -- in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED

Then, I set the INPUT chain to “DROP” (OUTPUT and FORWARD are still “ACCEPT”). As I understand it, this should block any unsolicited connection from the ETH00 interface. I should be able to connect to the ZS admin via ETH01 and I can, but if I connect to the upstream router, it should block access… but it doesn’t.

What am I doing wrong?