Reply To: Block acces from outside to management page


I’m unclear on thie too.

ETH00 ( is my WAN interface, ETH01 (192168.1.1) and ETH02 (192168.2.1) are the LAN side. I currently have the ETH00 of the ZS box connected to an upstream wifi router on the subnet, and another wifi AP connected to ETH01. This is for testing; ultimately ETH00 will be connected directly to a satellite modem at another location.

I created 3 firewall rules:

1 	ETH01 	* 	ACCEPT all opt -- in ETH01 out * -> 	no
2 ETH02 * ACCEPT all opt -- in ETH02 out * -> no
3 * * ACCEPT all opt -- in * out * -> state RELATED,ESTABLISHED

Then, I set the INPUT chain to “DROP” (OUTPUT and FORWARD are still “ACCEPT”). As I understand it, this should block any unsolicited connection from the ETH00 interface. I should be able to connect to the ZS admin via ETH01 and I can, but if I connect to the upstream router, it should block access… but it doesn’t.

What am I doing wrong?