From 2513ae737d195c220aa82f08945c67ba6fdb6c1e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 1 Mar 2014 16:04:01 +0100
Subject: [PATCH] firewall: Allow access to the entire GREEN/BLUE/ORANGE
 subnets.

This includes the firewall itself as well.
---
 config/firewall/firewall-policy | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index bd1e40d35..faf177cce 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,6 +52,8 @@ case "${CONFIG_TYPE}" in
 		;;
 esac
 
+HAVE_OPENVPN="true"
+
 # INPUT
 case "${FWPOLICY2}" in
 	REJECT)
@@ -61,6 +63,16 @@ case "${FWPOLICY2}" in
 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 		;;
 	*) # DROP
+		# OpenVPN
+		# Allow direct access to the internal IP addresses of the firewall
+		# from remote subnets if forward policy is allowed.
+		case "${HAVE_OPENVPN},${POLICY}" in
+			true,MODE1) ;;
+			true,*)
+				iptables -A POLICYIN -i tun+ -j ACCEPT
+				;;
+		esac
+
 		if [ "${DROPINPUT}" = "on" ]; then
 			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi
-- 
2.39.2