Anti-Lockout Rule (Destination NAT) -> open ports external?

[RamSense]

Found it! Some little bug. Thanks Patrick.
Your simple "there must be some rule allowing this" made me wonder if the deleting of the old rules has done its job or not.

And there I went through the old interface rules and there was one rule left on WAN! So the delete all (old)rules with [Remove all legacy rules] in the wizard, did not do it all. Maybe a bug there? The wizard forgot to remove one by rather just adding an important one you do not want to have!

IPv4+6 *    *    *    *    *    *    *           

[meyergru]

Actually, that was not a "little" bug. But did that rule come out of the blue or was it present before?

Because you obviously have used the migration assistant, you should be able to look at the rules before the migration.

This would be helpful to tell if there is a potential "HUGE" bug or just a misconfiguration on your part.

[Patrick M. Hausen]

I had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.

[RamSense]

I have my imported CSV list still here and looked through them. There is no allow all rule there.
Since I have all the rules with a description it was easy to see that there was none without one like the screen capture above.
When searching for WAN I did not find an allow all rule.

Maybe you can replicate this also for this out of the blue rule.

[OPNenthu]

I had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.

Related? https://forum.opnsense.org/index.php?topic=50591.0