I have discovered that a device on my home network has been connecting to the internet without my permission. I don't that this is too nefarious, so as a troubleshooting measure I created a firewall rule to "Reject" the requests from that device. That is when I noticed a couple of things: When I first created the rule I selected the device from the source list and set the rule to "Reject". When I later checked the logs, I discovered that some packets were blocked and others were still getting through. Upon further review, it seems that the source I selected was the MAC address of the device. So, I figured that the source likely needs to be listed by IP address. So I defined a new source by the device's IP address. When I checked the firewall logs afterwards, I discovered that some packets were still being allowed. I then changed the rule to "Drop". It now appears that these packets are not being permitted although I do not see any "Blocked" or "Denied" in the logs. I just don't see any more "Accepted". The tally of "out" in the firewall rule keeps increasing. I thought that "Reject" would be the "polite" way of blocking the access given that the device is on my LAN. I had hoped that it would actually block the packets. Is my understand of "Reject" incorrect (ICMP unreachable and deny)?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clarification on "Reject" action in firewall

I have discovered that a device on my home network has been connecting to the internet without my permission. I don't that this is too nefarious, so as a troubleshooting measure I created a firewall rule to "Reject" the requests from that device. That is when I noticed a couple of things:

When I first created the rule I selected the device from the source list and set the rule to "Reject". When I later checked the logs, I discovered that some packets were blocked and others were still getting through. Upon further review, it seems that the source I selected was the MAC address of the device. So, I figured that the source likely needs to be listed by IP address. So I defined a new source by the device's IP address.
When I checked the firewall logs afterwards, I discovered that some packets were still being allowed. I then changed the rule to "Drop". It now appears that these packets are not being permitted although I do not see any "Blocked" or "Denied" in the logs. I just don't see any more "Accepted". The tally of "out" in the firewall rule keeps increasing.

I thought that "Reject" would be the "polite" way of blocking the access given that the device is on my LAN. I had hoped that it would actually block the packets. Is my understand of "Reject" incorrect (ICMP unreachable and deny)?

This thread was automatically locked due to age.