Does UniFi Override Firewall Rules?

I’m creating an isolated “PublicServer” VLAN for some public web and game servers. I’ve disabled Inter-VLAN routing and that’s all working great.

In an effort to prevent the PublicServer VLAN from accessing the UDM-SE GUI / SSH for configuration, I’m creating LAN Local rules to block PublicServer VLAN to all other VLAN gateways and the WAN IP (which can be used for the GUI when accessed internally). But because the WAN IP is technically dynamic, I don’t want to hard code it in a IP/Subnet profile.

Therefore, what I’m effectively doing is “LAN Local - Drop PublicServer Network to Any”. Then I was planning to allow PublicServer Network to specific services like DNS and DHCP. However, it seems that DHCP is still working even with my “Drop PublicServer Network to Any” rule in place. Almost like I don’t need my “allow DHCP” rule despite “LAN Local - Drop PublicServer Network to Any”.

Curiously, UniFi won’t let me create a Drop PublicServer to rule because of my “port settings”. So maybe UniFi is preventing me from blocking DHCP since my PublicServer Network has the DHCP Server enabled?

Is this a default thing that UniFi does when using a Network as a source? Does it try to protect me from myself? Are there any other default firewall exceptions that UniFi will create when it comes to creating firewall rules like this?

Side note: by doing “LAN Local Drop Any to Any” I was able to see DHCP errors. So in that case, UniFi seems to not be protecting me from myself. Maybe this means UniFi will only “protect me from myself” when using a Network as a source in the firewall rule?

I’m OK with DHCP working in this case, I just want to understand what’s happening. Thanks!