From 0e53d8a991af6cfb1b2982c20a663a5aa0fedc84 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 2 Mar 2014 20:40:00 +0100
Subject: [PATCH] firewall: Make OpenVPN access also possible when INPUT policy
 is REJECT.

---
 config/firewall/firewall-policy | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index faf177cce..4aab930f5 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -55,6 +55,17 @@ esac
 HAVE_OPENVPN="true"
 
 # INPUT
+
+# OpenVPN INPUT
+# Allow direct access to the internal IP addresses of the firewall
+# from remote subnets if forward policy is allowed.
+case "${HAVE_OPENVPN},${POLICY}" in
+	true,MODE1) ;;
+	true,*)
+		iptables -A POLICYIN -i tun+ -j ACCEPT
+		;;
+esac
+
 case "${FWPOLICY2}" in
 	REJECT)
 		if [ "${DROPINPUT}" = "on" ]; then
@@ -63,16 +74,6 @@ case "${FWPOLICY2}" in
 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 		;;
 	*) # DROP
-		# OpenVPN
-		# Allow direct access to the internal IP addresses of the firewall
-		# from remote subnets if forward policy is allowed.
-		case "${HAVE_OPENVPN},${POLICY}" in
-			true,MODE1) ;;
-			true,*)
-				iptables -A POLICYIN -i tun+ -j ACCEPT
-				;;
-		esac
-
 		if [ "${DROPINPUT}" = "on" ]; then
 			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi
-- 
2.39.2