Which does not solve the common case when you want to pass unfiltered ingress trafic to few specific hosts and have the default reject unknown ingress behavior for all other LAN hosts. Just give me the ability to set my own firewall rules when I need to instead of drop-all/drop-ingress/accept-all combo-box with confusing label.