firewall: Make OpenVPN access also possible when INPUT policy is REJECT.

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index faf177ccef4631cf934637834a47ce1ce110e720..4aab930f59507f360165219ec693c82f62ccbb53 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -55,6 +55,17 @@ esac
 HAVE_OPENVPN="true"
 
 # INPUT
+
+# OpenVPN INPUT
+# Allow direct access to the internal IP addresses of the firewall
+# from remote subnets if forward policy is allowed.
+case "${HAVE_OPENVPN},${POLICY}" in
+       true,MODE1) ;;
+       true,*)
+               iptables -A POLICYIN -i tun+ -j ACCEPT
+               ;;
+esac
+
 case "${FWPOLICY2}" in
        REJECT)
                if [ "${DROPINPUT}" = "on" ]; then
@@ -63,16 +74,6 @@ case "${FWPOLICY2}" in
                iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
                ;;
        *) # DROP
-               # OpenVPN
-               # Allow direct access to the internal IP addresses of the firewall
-               # from remote subnets if forward policy is allowed.
-               case "${HAVE_OPENVPN},${POLICY}" in
-                       true,MODE1) ;;
-                       true,*)
-                               iptables -A POLICYIN -i tun+ -j ACCEPT
-                               ;;
-               esac
-
                if [ "${DROPINPUT}" = "on" ]; then
                        iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
                fi