From d6868ae94c63d0f708985e6bb6604a4bd40cf1a8 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 6 Sep 2024 18:20:46 +0200
Subject: [PATCH] firewall: Allow WG traffic when the firewall is in permissive
 mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/firewall-policy | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 21165e9338..872a921401 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -54,6 +54,7 @@ esac
 
 HAVE_IPSEC="true"
 HAVE_OPENVPN="true"
+HAVE_WG="true"
 
 # INPUT
 
@@ -97,6 +98,14 @@ case "${HAVE_OPENVPN},${POLICY}" in
 		;;
 esac
 
+# WireGuard INPUT
+case "${HAVE_WG},${POLICY}" in
+	true,MODE1) ;;
+	true,*)
+		iptables -A POLICYIN -i wg+ -j ACCEPT
+		;;
+esac
+
 case "${FWPOLICY2}" in
 	REJECT)
 		if [ "${DROPINPUT}" = "on" ]; then
@@ -149,6 +158,9 @@ case "${POLICY}" in
 		# Grant access for OpenVPN connections
 		iptables -A POLICYFWD -i tun+ -j ACCEPT
 
+		# Grant access for WireGuard
+		iptables -A POLICYFWD -i wg+ -j ACCEPT
+
 		if [ -n "${IFACE}" ]; then
 			if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
 				iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
-- 
2.39.5