Why would I need to add a specific Firewall Rule, to allow a response in, from a connection that's still visible in the "NAT Active Sessions Table" :?:

If a device on my network sends data to a remote system and expects a reply, I would only expect the response to be seen as "unsolicited" (and subject to the Firewall Rules), if the connection had timed out.

The device in question is a Netatmo 'Smart' Thermostat, which is on my I.O.T. VLAN (heavily firewalled from the rest of my network :wink: ). It communicates with Netatmo H.Q. using TCP Port 25050.

My first Firewall Rule is "Block if no further match" - for all addresses, all protocols. Further Rules in that Filter Set allow in SMTP, (some) DNS, WEB etc (matching the NAT Open Port config.). Without an additional rule for the Netatmo, the first rule occasionally triggers. (The Netatmo thermostat doesn't seem to know/care about this - so I don't know how important this data is...)

You could argue that I don't need this D.I.Y. Default Rule (because NAT effectively does the same job), but I want to be quite selective about DNS - since I seem to have been unwittingly participating in DNS Reflection attacks :shock:

Code:

NAT Active Session Table (abbreviated!) 192.168.5.1 55530 55594 62.210.177.194 25050 WAN2

Adding a specific rule for this traffic, allows it in (and stops Rule 1 triggering instead) :-

Code:

[FILTER][Pass][WAN->LAN/RT/VPN, 99:11:45 ][@S:R=1:5, 62.210.177.194:25050->192.168.5.1:55530][TCP][HLen=20, TLen=40, Flag=A, Seq=846171384, Ack=469110721, Win=29200]

(Where 192.168.5.1 is the Netatmo Thermostat and 62.210.177.194 is Netatmo H.Q.)