openwrt firewall4 rules if zones settings are all reject

WAN DHCP and LAN DHCP.
note that WAN DHCP input is already given by openwrt default.

uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='lan-dhcp-in-dst68'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='68'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].family='ipv4'
uci add firewall rule
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].name='lan-dhcp-out-src68'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src_port='68'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].family='ipv4'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='wan-dhcp-out-dst68'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='68'
uci set firewall.@rule[-1].target='ACCEPT'

prevent lock-out (you may disable and check the counter by nft list ruleset later), and dns, ntp

uci add firewall rule
uci set firewall.@rule[-1].name='allow80'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow80lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow53lan'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='allow53out'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='allow123out'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='123'
uci set firewall.@rule[-1].target='ACCEPT'

lan-device ICMPv6. note: types? copy from Allow-ICMPv6-Input? maybe someone also needs wan dest icmpv6.

uci add firewall rule
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].name='device-lan-icmpv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='lan-device-icmpv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'

ipv6 tcp/udp forwarding(if works as router)

uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='lan-wan-ipv6-forwarding-tcp-udp'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].target='ACCEPT'
uci add_list firewall.@rule[-1].proto='tcp'
uci add_list firewall.@rule[-1].proto='udp'

only for ipv6 bridge users (Allow-ICMPv6-Forward):

uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='icmpv6 bridge'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'
uci add_list firewall.@rule[-1].icmp_type='neighbour-advertisement'
uci add_list firewall.@rule[-1].icmp_type='neighbour-solicitation'
uci add_list firewall.@rule[-1].icmp_type='router-advertisement'
uci add_list firewall.@rule[-1].icmp_type='router-solicitation'

then you are able to add wan out rules for device. and finally set

#uci set firewall.@zone[1].input='REJECT'
#uci set firewall.@zone[1].output='REJECT'
#uci set firewall.@zone[1].forward='REJECT'

remember to uci commit.