Firewall Not Blocking Traffic to Cable Modem (192.168.100.1)

What are you doing from where when you are "still able to reach the cable modem's web interface?"

Cheers - Bob

First answer Bobs Question.

Next, the WebProxy could interfere.
This cannot be blocked by firewall rules.
if a transparent web proxy is in use, you have to create a proxy exception.
(WebProtection/FilteringOptions/Misc/Transparent Mode Skiplist ... but uncheck "Allow HTTP/S traffic for listed hosts/nets")

First answer Bobs Question.

Next, the WebProxy could interfere.
This cannot be blocked by firewall rules.
if a transparent web proxy is in use, you have to create a proxy exception.
(WebProtection/FilteringOptions/Misc/Transparent Mode Skiplist ... but uncheck "Allow HTTP/S traffic for listed hosts/nets")

"still able to reach the cable modem's web interface" = web browser -> cable modem's web interface.

Adding cable modem host (192.168.100.1) to "Skip Transparent Mode Destination Hosts/Nets" did the trick.

Can you please explain why/how a Transparent mode Web Filtering config (layer 7) permits packets to bypass the firewall (layer 3)?

firewall and proxy are functionalities that are next to each other, not one after the other.

compare the packet flow diagram within this post: https://community.sophos.com/products/unified-threat-management/f/general-discussion/22058/flowchart-trafficflow-through-the-utm

Maybe in a high-level diagram the two functionalities are "next to each other" but the packets are not being processed by both the firewall and the Web Filter concurrently.

This is either a very strange architectural design choice or a bug.

Can someone explain to me why a firewall rule blocking all IP traffic to host X wouldn't block HTTP requests to web server on host X? i.e. why is layer 3 not processed before layer 7?

See #2 in Rulz (last updated 2019-04-17).

Cheers - Bob