firewall: Allow access to the entire GREEN/BLUE/ORANGE subnets.
authorMichael Tremer <michael.tremer@ipfire.org>
Sat, 1 Mar 2014 15:04:01 +0000 (16:04 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Sat, 1 Mar 2014 15:04:01 +0000 (16:04 +0100)
This includes the firewall itself as well.

config/firewall/firewall-policy

index bd1e40d..faf177c 100755 (executable)
@@ -52,6 +52,8 @@ case "${CONFIG_TYPE}" in
                ;;
 esac
 
+HAVE_OPENVPN="true"
+
 # INPUT
 case "${FWPOLICY2}" in
        REJECT)
@@ -61,6 +63,16 @@ case "${FWPOLICY2}" in
                iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
                ;;
        *) # DROP
+               # OpenVPN
+               # Allow direct access to the internal IP addresses of the firewall
+               # from remote subnets if forward policy is allowed.
+               case "${HAVE_OPENVPN},${POLICY}" in
+                       true,MODE1) ;;
+                       true,*)
+                               iptables -A POLICYIN -i tun+ -j ACCEPT
+                               ;;
+               esac
+
                if [ "${DROPINPUT}" = "on" ]; then
                        iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
                fi