From c31f18b6a901bf02dc9e5e1c8474487a23e4c71e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 31 May 2013 13:31:48 +0200
Subject: [PATCH] openvpnctrl: Block all transfer subnets.

---
 src/misc-progs/openvpnctrl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 0875cec69..3a4c6db80 100644
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off";
 char OVPNRED[STRING_SIZE] = "OVPN";
 char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_";
 char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_";
+char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
 char OVPNNAT[STRING_SIZE] = "OVPNNAT";
 char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3";
 
@@ -480,6 +481,11 @@ void setFirewallRules(void) {
 				OVPNRED, redif, conn->proto, conn->port);
 			executeCommand(command);
 
+			/* Block all communication from the transfer nets. */
+			snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP",
+				OVPNBLOCK, conn->transfer_subnet);
+			executeCommand(command);
+
 			local_subnet_address = getLocalSubnetAddress(conn);
 			transfer_subnet_address = calcTransferNetAddress(conn);
 
-- 
2.39.2