Why does this rule allow access to the trust address?

[August8828]

Good morning,

I'm currently playing around with my rules. I've found a video of Homenetworkguy who suggests one single rule to allow internet access while blocking traffic to all private networks at the same time. So therefore you do not need to create a block rule which blocks traffic to private addresses while needing an allow rule to allow internet traffic.

You can find my rule in the attachments below.

I wonder why this allows access to the trust address whether it's ping or gui access. It shouldn't since the second rule denies ALL traffic to public ip addresses and the rule is above the third rule. Any ideas? Only way to fix this is to create a block rule which denies traffic to all private networks and build a second one which allows internet access which I do not want because this means I need to create two rules instead of one.

[Patrick M. Hausen]

The second rule does not deny anything. It only does not match if the destination is in the private networks. Then the third rule is evaluated, matches, and allows.

[August8828]

So basically building it like the third rule is kinda useless, isn't it? There's a risk giving access to ressources you do not want to give. Would you rather suggest going the approach with two rules then and a block rule to private addresses?

[Patrick M. Hausen]

If you limit that third rule to ICMP only I guess it works as intended?

The destination invert for private networks only makes sense if followed by some deny rule eventually. Can be explicit or the default "deny all" at the end of the rule set.

If followed by an "allow all" rule it's pretty useless.