LAN-OPT1 stefull IN rules and "let out anything from firewall host itself" OUT

[mirek186]

Hi,

I'm probably missing something here, could someone explain to me what is the reason behind floating "rule let out anything from firewall host itself" which you can't disable, please?
e.g. I have a rule
pass in log quick on LAN proto tcp from any to OPT1 port = ssh keep state
and in the Live View, I can see the IN rule is matched and then next entry is a match for "rule let out anything from firewall host itself", it's all working LAN host is allowed to ssh but I tought "keep state" should take care of the OUT rule and you shoudn't have to have a explict OUT any any rule from the firewal itself.
I did small test and removed automated rule from /usr/local/etc/inc/filter.lib.inc, rebooted, verified the floating rule is no longer there and my SSH rule is still working which I think confirm the staefull rule is working correctly.

Code Select Expand

    $fw->registerFilterRule(
        5,
        array('direction' => 'out', 'statetype' => 'keep', 'allowopts' => true,
        'quick' => false, "descr" => "let out anything from firewall host itself"),
        $defaults['pass']
    );

I'm pretty sure the rule is there for the reason, but I coudn't find in the documentation what that rule is for, could someone explain to me why it's there and why it's the one you can't disable. I think it does eat up few CPU cycles as you do keep IN rule state and you also match OUT rule, am I right.

Thanks