OpenVPN upgrade code should put an allow all rule for migrations from 1.2.x
Since OpenVPN does not filter on 1.2.x, upgrades from 1.2.x -> 2.0 should place an "Allow All" style rule on the OpenVPN interface rules, to avoid a POLA violation.
This way, the non-filtered behavior is retained for those upgrading from 1.2.3, but new installs of 2.0 can be filtered by default.
Less clear is how we should handle upgrades where a tun was assigned as an opt for filtering. (Or is that already handled?)
#2 Updated by Jim Pingle over 9 years ago
The difference is that IPsec had rules in 1.2.x, so people expect it to work that way already.
If someone does a remote upgrade via their OpenVPN connection, they could end up locked out because OpenVPN now requires rules where it did not do so previously, and there is no way to prevent that scenario.
I do agree that it should not have rules on a fresh install, but upgrades are a different matter.
#3 Updated by Chris Buechler over 9 years ago
Yeah, this needs to be done. For 1.2.x upgraded configs auto-adding an allow all rule for OpenVPN is the sensible course of action, as we always want to retain the previous behavior. Nothing should work differently after upgrade than it did before the upgrade.