Which is stronger? Port forward or Firewall rule?

Hey Forum!

I’ve a firewall rule that permits a client to go to the internet. I’ve simply dropped all traffic from client to zone RED (that is the internet) and vice versa.
Now I want to allow one specific port from the client to be accessible from the internet. I can set Port Forward up to allow that specific port from the RED zone to the client and vice versa, but isn’t my firewall rule gonna overwrite the port forward?

If it does, then what do you recommend, how should I allow only one port to communicate to the internet and drop every other communication from/to the internet?


Isn’t the traffic from internet to red already blocked by default?
I’m not sure that it needs a specific rule to do drop connections from internet to red.

RED is the internet zone itself, isn’t it? If I (for example) drop traffic from RED to a specific client, then that host can’t reach out to the internet and back. However, this does not affects the rest of the clients in the network.

I usually made the opposite rule: i block from client to RED or Internet

Think about direction. Dropping traffic from RED to a client, (which BTW as pointed out by @saitobenkei is the default) does not affect any traffic going from a client to the internet via the RED interface. That would have to be a different rule.


I have that rule vice versa. So 2 rules exist:
DROP: Red -> Client
DROP: Client -> Red

But I want to enable one port where the client can communicate with the world. Is this possible this way?

They are different things. In the first you are asking for an inbound connection. In the second, an outbound.

You need to be more specific on your requirements. Are you asking that one client can only reach out to the internet on a specific port and it must get it’s replies back. Or are you expecting “someone” on the internet to connect to the client via a specific port.


Is the default. No rule is needed for that.


OK. Now I understand your point. Sorry for being a slow learner. However, I still don’t know what if I allow one port to be open on the firewall for in&out communication to the client while also having a firewall rule like DROP: Client -> Red ?

If you want to open a port “from client to internet” you have to configure it in “Firewall Rules” and not in “Port Forwarding”.
Then you have to move (drag and drop) the rule “permit the client connection” above the rule that block “green to internet” connection.
When all is done, you have to click to “Apply Changes” red button.


@Imre_Bertalan do you have solved thanks to @saitobenkei’s suggestion? That’s the way to go

Interesting, maybe I didn’t understand the answer, but order matters? Say I have a rule blocking everything to everyone, if I put a rule allowing a specific port above that it would supercede it? Thanks.

Always, AFAIK for all routers, no matter who produces them.
Firewall rules!

From top to down (at least):

  1. Bypass rules
  2. Block rules
  3. Allow rules
  4. Default rules

If you want, you can try to change 2. with 3.: nothing will be blocked.

1 Like

Thanks! Not sure how I missed that, I guess I figured the gui meant order didn’t matter. Appreciate it!

1 Like

The rules added in GUI, are applied as they are written, including the order.

BTW, the order of the rules (from top to bottom), is applied not only to firewall.
This applies wherever there are filters, generally speaking (firewall, web filters, …).
Usually, are applied rules to block and to allow.
Always, first (top) are rules to block and second (bottom) are rules to allow.

1 Like

A post was split to a new topic: Forward everything to a specific host inside my LAN