webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-16 22:13:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Make OpenVPN access also possible when INPUT policy is REJECT.

Browse Source
This commit is contained in:
Michael Tremer
2014-03-02 20:40:00 +01:00
parent 6e87f0aa53
commit 0e53d8a991
1 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
config/firewall/firewall-policy
View File

@@ -55,6 +55,17 @@ esac
HAVE_OPENVPN="true"
# INPUT
# OpenVPN INPUT
# Allow direct access to the internal IP addresses of the firewall
# from remote subnets if forward policy is allowed.
case "${HAVE_OPENVPN},${POLICY}" in
true,MODE1) ;;
true,*)
iptables -A POLICYIN -i tun+ -j ACCEPT
;;
esac
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
@@ -63,16 +74,6 @@ case "${FWPOLICY2}" in
iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
# OpenVPN
# Allow direct access to the internal IP addresses of the firewall
# from remote subnets if forward policy is allowed.
case "${HAVE_OPENVPN},${POLICY}" in
true,MODE1) ;;
true,*)
iptables -A POLICYIN -i tun+ -j ACCEPT
;;
esac
if [ "${DROPINPUT}" = "on" ]; then
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi