I have eth1 on public
default rule allow
I set forward to reject level 7 http
http is rejected
I set forward rule to accept level 7 http
I set forward default rule to drop
http stops working.
I did all of the above several times to confirm and also repeated using port 80 instead of level 7 http with the same results
Why, when I have forward default rule to drop does the
level 7 http not work when the rule is set to accept?
L7 filters use connection tracking to classify the traffic and usually need more than one packet to recognize the protocol. For this reason you should not use a Layer 7 filter with the target ACCEPT if the default policy is DROP. In other words, L7 filter work better in QoS classification than in firewall rules.