By default Openwrt is already safe but GRC has certain assumptions on what it means to be secured.
Their test requires the Router to behave as follows
- Drop all unsolicited packets sliently
- Do not respond to pings
As shown below make the default policy 'drop'
We also need to make the internet facing policy to drop
However if you have a separated guest network it is ok to set it to reject because it is not internet facing.
We also need to set our Router to ignore WAN pings
However we still want to be able to ping internet host like Google etc to ensure that we can still test our connectivity.
Instead of deleting the rule we change it to accept only echo-reply.
When we ping internet routers and servers we send echo-request ICMP packets to them and they reply with echo-reply ICMP packets.
What this change does is if any internet systems try to ping the router by sending echo-request packets it is dropped sliently but we send the packets and receive replies it is accepted.
However this is assuming that internet systems will not spoof an echo-reply packet to our router which may not be true.