(I don't seem to have the ability to add screenshots - I thought that had been fixed - I've replied to the board admin in the thread here: https://www.draytek.co.uk/forum/board-discussion-and-help/25433-new-forum-features)

Draytek routers are permissive in that they don't block everything by default but rely on no port forwarding - a simple but pretty effective block by NAT.
I don't have any port forwarding - I'm kind of paranoid.  I have disabled System Maintenance / Management / Allow management from the internet.
I also have a firewall rule filter setup (Firewall / Filter Setup / Set 1 Default Data Filter / Rule #1 (ticked):

Direction WAN -> LAN/RT/VPN
Filter: Block Immediately
Syslog is ticked

I'd previously set this up and thought it was enabled but when I just went in to it, I saw it wasn't ticked / enabled - I don't know if I'd unticked it accidentally which *seems* unlikely or an upgrade had unticked it but that also seems unlikely.
Anyway, the reason I went in to this was because I had lots (a few hundred in ~30 mins) of syslog messages (all my devices log to a central syslog server):

[DOS][Block][udp_flood, timeout=10, log_count:500, state:1, idx:27][185.202.220.152:51820->xxx.xxx.xxx.xxx:38395][UDP][HLen=20, TLen=1480]

where the redacted IP addres is my external IP address.

Doing a portscan on my external IP address, it says port 38395 is not responding which is what I expected.  But I don't understand why whoever was scanning my device persisted - no other ports scanned.
Secondly on the Firewall / General Setup page it says:Note:Packets are filtered by firewall functions in the following order:
1.Data Filter Sets and Rules  2.Block routing connections initiated from WAN  3.Default RuleI'd have thought this scan attempt would be blocked by the entry I have in my filter setup (point #1) but the message looks to me as if it wasn't.  It looks like it wasn't blocked by point #2 either, but by Firewall / Defense Setup (where everything is checked).

So I'm wondering, have I misunderstood something?  Basically I just want to block anything initiated externally but (obviously) responses to requests initiated from my LAN would work ok.  I want this block to be done as early as possible.

Thanks

...but this is a DOS Block

[DOS][Block][udp_flood, timeout=10, log_count:500, state:1, idx:27][185.202.220.152:51820->xxx.xxx.xxx.xxx:38395][UDP][HLen=20, TLen=1480]

You have DoS Defense active, right? And so a slightly different part of the firewall function.

Thanks.

Yes, I do have DOS defence active - I meant to explain that in my last sentence of the penultimate paragraph.

It doesn’t seem to be happening frequently enough to be an effective DOS so I was taking the description with a pinch of salt tho happy it had been blocked.
I think I’d not thought about the specifics before; I think I thought that an effective DOS would require an open port. If that were not the case then using random ports each time would be more effective?

I’m possibly going in to over thinking mode. Or possibly under thinking mode.

I think I thought that an effective DOS would require an open port. If that were not the case then using random ports each time would be more effective?

The port being "open" is an internal status, effectively, all ports are "open" to the router (or more so the router's defence (spelt defense in the GUI)), it is then down to those defences to process the packet(s) safely. The attack can come via any port number, as all it wants to do is get the packet(s) internal to the device where it can launch its attack IF there is a vulnerability. Hence why critical security updates are so important.  If a port is open on the router then the defending device will be the device inside your network, as the router is now just opening the door to those packets and forwarding them on inside!

Dos Defence is looking for a pattern of behaviour and dealing with it in the best way it feels necessary. Our devices are being hammered all day, every day, by external nodes fishing for vulnerablities and waiting for a response that draws their attention to persist further.

See this DoS explanation..