0 Kudos

NOT type of firewall rule

Submitted by -
Status: New Idea



Current USG offers drop/accept/reject configurations.How about allowing a rule category which is of NOT type. Example:


- Reject all packets NOT destined for Open DNS servers using DNS port 53.

- Reject all packets NOT destined for XXX SMTP server using SMTP port XXX.


on ‎09-16-2018 11:50 AM

I think this isn't fully thought through.


Those two examples would mean that e.g. any HTTP traffic would be rejected (as it qualifies as "not destined for Open DNS servers using DNS port 53").

What you probably meant was that port 53 is rejected unless it is destined for a certain opendns server?

Then what would "reject all packets not destined to outlook.com servers port 443" mean? Only allow https connections to outlook.com and no other servers? Or allow outlook.com connections to only use port 443? How would thr router know which of the two you meant?


Just do as we did before, split it into two rules:

rule N: Allow port 53 to server x

rule N+1: Reject port 53


on ‎09-16-2018 06:25 PM

@Alestrix : Thank you! Question: should the 2 rules be in LAN_IN or LAN_LOCAL? 

on ‎09-17-2018 07:26 AM

I use the zone based firewall configuration, so I'm a bit rusty regarding the answer to your question. You might have to add it to both

- to LAN_LOCAL to prevent the router's DNS server to be used by the client

- to LAN_IN for all other DNS query destinations

on ‎09-17-2018 11:09 AM

This doesn't work.

If I set in my smart phone like it happily connects.


I have in NETWORK = WAN, setup Open DNS

I have in NETWORK = GUEST, setup: Open DNS, guarding

I have in GUEST IN = Allow connection to Open DNS against DNS port

I have in GUEST LOCAL = Drop connections from ANY to ANY using DNS port.


Nothing working. I tried moving both the allow and reject into GUEST IN : Nope. GUEST_LOCAL: Nope.