Project

General

Profile

Actions
Copy link

Bug #6031

closed

Anti-Lockoug Rule Not Effective Against Canned Interface Block Rules

Added by NOYB NOYB about 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Very Low
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
03/26/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The anti-lockout rule appears to be to low in the processing order to be effective against inadvertently enabling the canned rules of the interface.

For instance. Inadvertent enabling of the block private networks rule on the LAN interface (if it in using a private network address) will override the anti-lockout rule due to their order.

Although the displayed order on firewall rules in places anti-lockout at the top this is not the actual order of processing.

Actions
Copy link
 #1

Updated by Chris Buechler about 8 years ago

  • Category set to Rules / NAT
  • Status changed from New to Confirmed
  • Priority changed from Normal to Very Low
  • Target version changed from 2.3 to 2.3.1
  • Affected Version set to All

Yeah the order isn't ideal there. You're probably the only person in the world running block private or bogon on LAN. We'll re-order those post-2.3.

Actions
Copy link
 #2

Updated by NOYB NOYB about 8 years ago

LOL I'm not running block private or bogons on LAN. I was just looking at the firewall rules display order vs. the actual rules order and thought you know... if someone inadvertently turns that on, perhaps not realizing they are on the LAN interface page, they will get locked out. So I tried it and sure enough. Locked out.

Actions
Copy link
 #3

Updated by Jim Thompson about 8 years ago

  • Assignee set to Chris Buechler
Actions
Copy link
 #4

Updated by Chris Buechler about 8 years ago

  • Target version changed from 2.3.1 to 2.3.2
Actions
Copy link
 #5

Updated by Chris Buechler almost 8 years ago

  • Assignee deleted (Chris Buechler)
Actions
Copy link
 #6

Updated by Chris Buechler almost 8 years ago

  • Target version changed from 2.3.2 to 2.4.0
Actions
Copy link
 #7

Updated by Ronald Antony almost 8 years ago

Actually, that would be an easy thing for me to do: my entire LAN has public IPs, so in essence, that should be turned on (might actually be turned on.
Since the IPs are public, that should not be an issue in my case, unless I try to load my rules on another box for speeding up the configuration process, and then change the LAN IP...

Actions
Copy link
 #8

Updated by Renato Botelho over 6 years ago

  • Target version changed from 2.4.0 to 2.4.1
Actions
Copy link
 #9

Updated by Jim Pingle over 6 years ago

  • Target version changed from 2.4.1 to 2.4.2
Actions
Copy link
 #10

Updated by Jim Pingle over 6 years ago

  • Target version changed from 2.4.2 to 2.4.3
Actions
Copy link
 #11

Updated by Anonymous about 6 years ago

  • Status changed from Confirmed to Closed

No one has been able to work on this in two years, and there is a work-around. Closing and recording for future consideration

Actions
Copy link
 #12

Updated by Jim Pingle about 6 years ago

  • Target version deleted (2.4.3)
Actions
Copy link

Also available in: Atom PDF