Bug #324
closed
OpenVPN upgrade code should put an allow all rule for migrations from 1.2.x
Added by Jim Pingle almost 15 years ago.
Updated over 14 years ago.
Description
Since OpenVPN does not filter on 1.2.x, upgrades from 1.2.x -> 2.0 should place an "Allow All" style rule on the OpenVPN interface rules, to avoid a POLA violation.
This way, the non-filtered behavior is retained for those upgrading from 1.2.3, but new installs of 2.0 can be filtered by default.
Less clear is how we should handle upgrades where a tun was assigned as an opt for filtering. (Or is that already handled?)
- Priority changed from Normal to Very Low
I do not much agree with this.
Since we do not do this for IPsec and 2.0 is going to be a new release and on the release notes this can be mentioned.
The difference is that IPsec had rules in 1.2.x, so people expect it to work that way already.
If someone does a remote upgrade via their OpenVPN connection, they could end up locked out because OpenVPN now requires rules where it did not do so previously, and there is no way to prevent that scenario.
I do agree that it should not have rules on a fresh install, but upgrades are a different matter.
Yeah, this needs to be done. For 1.2.x upgraded configs auto-adding an allow all rule for OpenVPN is the sensible course of action, as we always want to retain the previous behavior. Nothing should work differently after upgrade than it did before the upgrade.
- Status changed from New to Feedback
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by Ermal Luçi 
Updated by 
Updated by