12876 – firewall.cgi Incoming Firewall Access DROP TO ANY LOCAL does not include OpenVPN service

Bug 12876 - firewall.cgi Incoming Firewall Access DROP TO ANY LOCAL does not include OpenVPN service

Summary: firewall.cgi Incoming Firewall Access DROP TO ANY LOCAL does not include Open...

Status:	NEW

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	firewall (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - - Unknown -
Assignee:	Michael Tremer
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-12 16:15 UTC by Horace Michael (aka H&M)
Modified:	2022-06-22 05:56 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Horace Michael (aka H&M) 2022-06-12 16:15:18 UTC

Hello,

firewall.cgi "Incoming Firewall Access", rule DROP FROM a.b.c.d TO "ANY" LOCAL does not protect OpenVPN service (despite rules say **any** LOCAL).

From what I see in iptables.cgi, upper section, INPUT chain, the OVPNINPUT is above INPUTFW, INPUTFW being the chain where rules created by  firewall.cgi Incoming Firewall Access land.

I believe that order of chains should be INPUTFW and then OVPNINPUT to protect also OpenVPN service since OpenVPN Service is an internal process that gets packets via INPUT chain.

Thank you,
H&M

Comment 1 Horace Michael (aka H&M) 2022-06-22 05:56:19 UTC

Hello,
OVPNBLOCK chain does not block traffic to OpenVPN service.
I have duplicated all rules from INPUTFW in OVPNBLOCK chain ani still have OpenVPN logs from IPs blocked.

I have moved the blocking rules in OVPNINPUT, using - I to have them at beginning of the chain...

I am waiting to see if this blocks the attempts in the end.