bomm wrote:Thanks for your help.
bomm wrote:I have a dynamic IP address, so it's not a good idea to manage the rules manually.
Well how dynamic is dynamic? Meaning, how often does it change?
Some ISPs give out "dynamic" IPs that stick for a long time (can be several months) even through completely powering off the device (although not if the device is powered off for too long)...
bomm wrote:The best solution would be if the router itself could block packets for the WAN IP on the local interface.
I think the ABE rule would do more than that, as ABE blocks by address not just by interface... so with only measures working by interface, I would have to wonder if there is even theoretical possibility for sites to use your web browser to trick your router into sending requests from its public interface back to its public interface. Firewalling by address doesn't have any such limitation.
You might see if your router has a placeholder in its firewall for its own WAN IP.
Basically, what I'm trying say is if there is a way of having your router filter by WAN IP / address
instead of by interface, I would think it's a more robust solution than protecting by interface.
bomm wrote:My router is fairly uncommon, so the risk of attacks is relatively low.
That is not a valid line of reasoning. Being "different" (in and of itself) is always orthogonal to security.
If the risk of attacks is relatively low on your router vs. others, that wouldn't be the reason why. (I would think the reason to be - at some level - along the lines of you being a competent sysadmin.)