... the defaut (log)accept policy of "Allow" access restriction, in file release/src/router/rc/firewall.c ? This was my original question, and after some more thinking about the problem, I came to a conclusion that some may find it usefull to remove this default "ACCEPT" policy in advgrp_%d chains, and others may need it, so I'll test a patch where this default policy will be applied in advgrp_%d chains only when no specific protocol/url ... blocking has occured, and of course, only when we're in "allow" condition, not deny (although advgrp_%d should not be used for deny, and so it should not hurt anything). My original suggestion was to change the whole behaviour of the access restrictions, particularily for the deny case. I changed my mind, and will only test this minor modification (only adding a counter in advgrp_chain, incrementing by one each time a rule is added to the advgrp_%d chain, and testing it in the end to add a default ACCEPT policy if the chain is empty there). This should allow various combinations: many overlapping (same time, same group of mac/ips ...) allow rules, one after the other, with many protocols and/or url blocking, for example, when you need more than 4 protocols, as the UI currently allows, then followed by an overlapping allow without anything blocked, then later followed by a global any day any time deny. Example: rule 1: allow 192.168.1.0/24 any day from 6AM to 9PM except HTTP/HTTPS/FTP/POP3 rule 2: allow 192.168.1.0/24 any day from 6AM to 9PM except IMAP4 rule 3: allow 192.168.1.0/24 any day from 6AM to 9PM rule 4: deny 192.168.1.0/24 any day any time The problem that should be also addressed is the fact that you can't properly specify a time restriction which ends at 12AM, only 11h55AM (not very elegant, but minor annoyance). PS: I edited this text a lot, before others answered or commented anything. I know that some have read the previous version, but I thought it was better to change it into a more "reasonable" proposition.