admin wrote:
it appears to be wide open with no rules in place
I'm not sure that's the case; why do you think that ?
To explain my configuration, I have a DNS server currently sitting behind IPv4 NAT (which provides me with sufficient firewall/stealthing for that), and some LAN->WAN rules to prevent the DNS behind bypassed (amongst other things).
I have now added a 6in4 tunnel and have added a couple of new rules. The first rule is supposed to allow just incoming port 53 (and is "pass immediately"). The second rule blocks the entire "/64" prefix/subnet, and is "block immediately". The DNS server is also running SSH. If I disable these rules and do an online port scan, the SSH port shows up. If I enable these rules and do a port scan, nothing gets through. Hence my observed conclusions that without the rules it is letting everything through, and that it's taking no notice of the "pass", and just doing the "block".
I've tried changing the order so that the block is first (set to "block if no further match"), and the end result is the same. I've also tried changing the interface from "WAN" to LAN/RT/VPN", in case the 6in4 tunnel doesn't count as "WAN"; however, if I do that the block firewall rules don't seem to be applied at all, which makes me think that WAN is correct.
