Bug #324
closed
OpenVPN upgrade code should put an allow all rule for migrations from 1.2.x
0%
Description
Since OpenVPN does not filter on 1.2.x, upgrades from 1.2.x -> 2.0 should place an "Allow All" style rule on the OpenVPN interface rules, to avoid a POLA violation.
This way, the non-filtered behavior is retained for those upgrading from 1.2.3, but new installs of 2.0 can be filtered by default.
Less clear is how we should handle upgrades where a tun was assigned as an opt for filtering. (Or is that already handled?)
Updated by Ermal Luçi about 14 years ago
- Priority changed from Normal to Very Low
I do not much agree with this.
Since we do not do this for IPsec and 2.0 is going to be a new release and on the release notes this can be mentioned.
Updated by Jim Pingle about 14 years ago
The difference is that IPsec had rules in 1.2.x, so people expect it to work that way already.
If someone does a remote upgrade via their OpenVPN connection, they could end up locked out because OpenVPN now requires rules where it did not do so previously, and there is no way to prevent that scenario.
I do agree that it should not have rules on a fresh install, but upgrades are a different matter.
Updated by Chris Buechler about 14 years ago
Yeah, this needs to be done. For 1.2.x upgraded configs auto-adding an allow all rule for OpenVPN is the sensible course of action, as we always want to retain the previous behavior. Nothing should work differently after upgrade than it did before the upgrade.
Updated by Chris Buechler about 14 years ago
- Status changed from Feedback to Resolved
confirmed fixed