From: Andris PE <neandris@gmail.com>
Date: Thu, 29 Feb 2024 14:17:03 +0000 (+0200)
Subject: config: drop to-be-forwarded-nowhere packets on wans
X-Git-Url: http://git.openwrt.org/%22https:/collectd.org//%22http:/www.crowdsec.net/%22/%22https:/collectd.org/%22http:/www.crowdsec.net/%22?a=commitdiff_plain;h=97962771aa3c490d6186e64015f85dd66254fdf0;p=project%2Ffirewall4.git

config: drop to-be-forwarded-nowhere packets on wans

Dropping packets with no clear forward destination is nicer than rejecting
them. Especially when some providers punish users for spoofing caused by
their noisy infra.

Fixes: https://github.com/openwrt/openwrt/issues/13340
Signed-Off-By: Andris PE <neandris@gmail.com>
---

diff --git a/root/etc/config/firewall b/root/etc/config/firewall
index d78a00c..48b2440 100644
--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -19,7 +19,7 @@ config zone
 	list   network		'wan6'
 	option input		REJECT
 	option output		ACCEPT
-	option forward		REJECT
+	option forward		DROP
 	option masq		1
 	option mtu_fix		1