firewall: Make OpenVPN access also possible when INPUT policy is REJECT.
authorMichael Tremer <michael.tremer@ipfire.org>
Sun, 2 Mar 2014 19:40:00 +0000 (20:40 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Sun, 2 Mar 2014 19:40:00 +0000 (20:40 +0100)
config/firewall/firewall-policy

index faf177c..4aab930 100755 (executable)
@@ -55,6 +55,17 @@ esac
 HAVE_OPENVPN="true"
 
 # INPUT
+
+# OpenVPN INPUT
+# Allow direct access to the internal IP addresses of the firewall
+# from remote subnets if forward policy is allowed.
+case "${HAVE_OPENVPN},${POLICY}" in
+       true,MODE1) ;;
+       true,*)
+               iptables -A POLICYIN -i tun+ -j ACCEPT
+               ;;
+esac
+
 case "${FWPOLICY2}" in
        REJECT)
                if [ "${DROPINPUT}" = "on" ]; then
@@ -63,16 +74,6 @@ case "${FWPOLICY2}" in
                iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
                ;;
        *) # DROP
-               # OpenVPN
-               # Allow direct access to the internal IP addresses of the firewall
-               # from remote subnets if forward policy is allowed.
-               case "${HAVE_OPENVPN},${POLICY}" in
-                       true,MODE1) ;;
-                       true,*)
-                               iptables -A POLICYIN -i tun+ -j ACCEPT
-                               ;;
-               esac
-
                if [ "${DROPINPUT}" = "on" ]; then
                        iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
                fi