Out of the box, your Opengear device runs a stateful netfilter/iptables firewall with a default deny input policy. A firewall ruleset is automatically built and installed based on enabled features and per-interface service access policy.
At a high level, per-interface access through the firewall is configured under System -> Services -> Service Access. You may also use custom firewall under System -> Firewall -> Firewall Rules for more granular control, e.g. to restrict connections to those originating from a trusted source network.
Rule order is important as packets fall through the firewall chains top to bottom, until they hit a matching rule that allows or blocks.
Custom Firewall Rules are inserted before system rules and Service Access rules. It is important that you do not manually add a custom "block all" rule as this will break connection tracking (system rule) and impair functionality.
Moreover, the input policy ends with a "block all" rule by default – so the solution is to disable Service Access rules so they are not matched, and unwanted packets fall through the the default "block all" rule.
The configured firewall ruleset in iptables-restore format is available in the filesystem at /etc/config/fw.rules (IPv4) and /etc/config/fwipv6.rules (IPv6).
You can also view rules with the standard iptables commands:
iptables -t filter -L -v iptables -t mangle -L -v iptables -t nat -L -v
ip6tables -t filter -L -v
ip6tables -t mangle -L -v
Custom iptables commands
Advanced users may install persistent rules using arbitrary iptables commands by adding them to /etc/config/scripts/firewall-post file. This is a shell script that's run after fw*.rules are installed.
Here's an IPv4 example to silently DROP packets instead of sending back a RST reply (default behaviour). This does make it harder to debug connectivity issues so use it carefully.
As the root user run these commands to replace the Block rule with DROP.
echo "iptables -D INPUT -j Block" >> /etc/config/scripts/firewall-post
echo "iptables -A INPUT -j DROP" >> /etc/config/scripts/firewall-post
Once that's done display the rules and make sure the last rule is DROP.
iptables -L INPUT