From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 2 Mar 2014 19:40:00 +0000 (+0100)
Subject: firewall: Make OpenVPN access also possible when INPUT policy is REJECT.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=0e53d8a991af6cfb1b2982c20a663a5aa0fedc84

firewall: Make OpenVPN access also possible when INPUT policy is REJECT.
---

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index faf177cce..4aab930f5 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -55,6 +55,17 @@ esac
 HAVE_OPENVPN="true"
 
 # INPUT
+
+# OpenVPN INPUT
+# Allow direct access to the internal IP addresses of the firewall
+# from remote subnets if forward policy is allowed.
+case "${HAVE_OPENVPN},${POLICY}" in
+	true,MODE1) ;;
+	true,*)
+		iptables -A POLICYIN -i tun+ -j ACCEPT
+		;;
+esac
+
 case "${FWPOLICY2}" in
 	REJECT)
 		if [ "${DROPINPUT}" = "on" ]; then
@@ -63,16 +74,6 @@ case "${FWPOLICY2}" in
 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 		;;
 	*) # DROP
-		# OpenVPN
-		# Allow direct access to the internal IP addresses of the firewall
-		# from remote subnets if forward policy is allowed.
-		case "${HAVE_OPENVPN},${POLICY}" in
-			true,MODE1) ;;
-			true,*)
-				iptables -A POLICYIN -i tun+ -j ACCEPT
-				;;
-		esac
-
 		if [ "${DROPINPUT}" = "on" ]; then
 			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi