Bug 12876

Summary: firewall.cgi Incoming Firewall Access DROP TO ANY LOCAL does not include OpenVPN service
Product: IPFire Reporter: Horace Michael (aka H&M) <horace.michael>
Component: firewallAssignee: Michael Tremer <michael.tremer>
Status: NEW --- QA Contact:
Severity: - Unknown -    
Priority: - Unknown -    
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description Horace Michael (aka H&M) 2022-06-12 16:15:18 UTC 
Hello,

firewall.cgi "Incoming Firewall Access", rule DROP FROM a.b.c.d TO "ANY" LOCAL does not protect OpenVPN service (despite rules say **any** LOCAL).

From what I see in iptables.cgi, upper section, INPUT chain, the OVPNINPUT is above INPUTFW, INPUTFW being the chain where rules created by  firewall.cgi Incoming Firewall Access land.

I believe that order of chains should be INPUTFW and then OVPNINPUT to protect also OpenVPN service since OpenVPN Service is an internal process that gets packets via INPUT chain.

Thank you,
H&M
Comment 1 Horace Michael (aka H&M) 2022-06-22 05:56:19 UTC 
Hello,
OVPNBLOCK chain does not block traffic to OpenVPN service.
I have duplicated all rules from INPUTFW in OVPNBLOCK chain ani still have OpenVPN logs from IPs blocked.

I have moved the blocking rules in OVPNINPUT, using - I to have them at beginning of the chain...

I am waiting to see if this blocks the attempts in the end.