Project

General

Profile

Actions

Bug #12020

closed

OpenVPN RADIUS-based firewall rules use incorrect port ranges

Added by Viktor Gurov over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
06/10/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:

Description

Previous operator ( `><` ) prevented inserting port range with min/max port.
Ex.

ip:inacl#1=permit tcp host {clientip} host 1.1.1.1 range 10000 65535

produced the following invalid rule:
pass in quick on ovpns1 inet proto tcp from 192.168.1.2 to 1.1.1.1 port 9999 >< 65536

Actions #2

Updated by Jim Pingle over 3 years ago

  • Subject changed from Cisco-AVPair ACL rule: port range operator is not working correctly to Cisco-AVPair ACL generates incorrect rules for port ranges
  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #3

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

Actions #4

Updated by Jim Pingle about 3 years ago

  • Subject changed from Cisco-AVPair ACL generates incorrect rules for port ranges to OpenVPN RADIUS-based firewall rules use incorrect port ranges

Updating subject for release notes.

Actions #5

Updated by Viktor Gurov about 3 years ago

  • Status changed from Feedback to Resolved

RADIUS ACL:

Cisco-AVPair = "ip:inacl#1=permit tcp host {clientip} host 10.8.8.8 range 100 300",
Cisco-AVPair = "ip:inacl#2=permit udp host {clientip} host 10.8.8.8 range 1000 5000",
Cisco-AVPair = "ip:inacl#3=permit udp host {clientip} host 10.8.8.8 range 10000 65535" 

parsed rules:

pass in quick on ovpns2 inet proto tcp from 10.34.34.2 to 10.8.8.8 port 100:300  
pass in quick on ovpns2 inet proto udp from 10.34.34.2 to 10.8.8.8 port 1000:5000  
pass in quick on ovpns2 inet proto udp from 10.34.34.2 to 10.8.8.8 port 10000:65535

pfSense-2.6.0.a.20210914.0500

Actions #6

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF