From a1727618dd0126af5776f55d9397cdb3d351a1af Mon Sep 17 00:00:00 2001
From: Eduardo Silva <eduardo@eth0.com.br>
Date: Mon, 29 Dec 2025 15:55:27 -0300
Subject: [PATCH] Remove REJECT from forward policy

---
 ...ettings_default_forward_policy_and_more.py | 23 +++++++++++++++++++
 firewall/models.py                            |  4 ++--
 firewall/tools.py                             |  5 +++-
 3 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 firewall/migrations/0015_alter_firewallsettings_default_forward_policy_and_more.py

diff --git a/firewall/migrations/0015_alter_firewallsettings_default_forward_policy_and_more.py b/firewall/migrations/0015_alter_firewallsettings_default_forward_policy_and_more.py
new file mode 100644
index 0000000..92f923a
--- /dev/null
+++ b/firewall/migrations/0015_alter_firewallsettings_default_forward_policy_and_more.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.2.9 on 2025-12-29 18:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('firewall', '0014_redirectrule_port_forward'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='firewallsettings',
+            name='default_forward_policy',
+            field=models.CharField(choices=[('accept', 'ACCEPT'), ('drop', 'DROP')], default='accept', max_length=6),
+        ),
+        migrations.AlterField(
+            model_name='firewallsettings',
+            name='default_output_policy',
+            field=models.CharField(choices=[('accept', 'ACCEPT'), ('drop', 'DROP')], default='accept', max_length=6),
+        ),
+    ]
diff --git a/firewall/models.py b/firewall/models.py
index cd309cc..2066d54 100644
--- a/firewall/models.py
+++ b/firewall/models.py
@@ -72,8 +72,8 @@ class FirewallRule(models.Model):
 
 class FirewallSettings(models.Model):
     name = models.CharField(max_length=6, default='global', unique=True)
-    default_forward_policy = models.CharField(max_length=6, default='accept', choices=[('accept', _('ACCEPT')), ('reject', _('REJECT')), ('drop', _('DROP'))])
-    default_output_policy = models.CharField(max_length=6, default='accept', choices=[('accept', _('ACCEPT')), ('reject', _('REJECT')), ('drop', _('DROP'))])
+    default_forward_policy = models.CharField(max_length=6, default='accept', choices=[('accept', _('ACCEPT')), ('drop', _('DROP'))])
+    default_output_policy = models.CharField(max_length=6, default='accept', choices=[('accept', _('ACCEPT')), ('drop', _('DROP'))])
     allow_peer_to_peer = models.BooleanField(default=True)
     allow_instance_to_instance = models.BooleanField(default=True)
     wan_interface = models.CharField(max_length=12, default='eth0')
diff --git a/firewall/tools.py b/firewall/tools.py
index 78f9f34..d5b91af 100644
--- a/firewall/tools.py
+++ b/firewall/tools.py
@@ -200,7 +200,10 @@ def generate_firewall_footer():
 
     footer = '# The following rules come from Firewall settings\n'
     footer += '# Default FORWARD policy\n'
-    footer += f'iptables -t filter -P FORWARD {firewall_settings.default_forward_policy.upper()}\n'
+    if firewall_settings.default_forward_policy:
+        footer += f'iptables -t filter -P FORWARD {firewall_settings.default_forward_policy.upper()}\n'
+    else:
+        footer += f'iptables -t filter -P FORWARD DROP\n'
 
     footer += '# Same instance Peer to Peer traffic\n'
     for wireguard_instance in WireGuardInstance.objects.all().order_by('instance_id'):