Firewall/NAT

I have my wireless AP attached to Opt1(sis2) and my wired network on LAN1(sis0) using a Soekris 4801. My understanding was that anything nor explicitly allowed was denied.  I am trying to ssh from a wired system on LAN1 to a wireless laptop on Opt1 and it works no problem. The only problem is that in Opt1 Firewall Rules I am telling monowall to Drop everything. Why am I still able to connect using ssh from LAN1 to Opt1 when I am blocking all traffic to Opt1?  Here is the XML for my Opt1 interface, I don't have an Opt3 so I don't know where that came from:

- <rule>
  <type>block</type>
  <interface>opt3</interface>
  <protocol>icmp</protocol>
- <source>
  <any />
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>
- <rule>
  <type>block</type>
  <interface>opt1</interface>
  <protocol>tcp/udp</protocol>
- <source>
  <any />
  <port>135</port>
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>
- <rule>
  <type>block</type>
  <interface>opt1</interface>
  <protocol>tcp/udp</protocol>
- <source>
  <any />
  <port>137-139</port>
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>
- <rule>
  <type>block</type>
  <interface>opt1</interface>
  <protocol>tcp/udp</protocol>
- <source>
  <any />
  <port>445</port>
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>
- <rule>
  <type>block</type>
  <interface>opt1</interface>
- <source>
  <any />
  </source>
- <destination>
  <any />
  </destination>
  <descr />
  </rule>

You're looking at the ruleset the wrong way round: the rules are always for packets entering the firewall.

The ruleset for OPT1 filters egress from the OPT1 network to other networks.

So, if you want the devices on OPT1 to be protected, you need to ensure that the rulesets for LAN1 and WAN block traffic destined for OPT1.

Hope this helps,

- Martin