Anti-Lockoug Rule Not Effective Against Canned Interface Block Rules
The anti-lockout rule appears to be to low in the processing order to be effective against inadvertently enabling the canned rules of the interface.
For instance. Inadvertent enabling of the block private networks rule on the LAN interface (if it in using a private network address) will override the anti-lockout rule due to their order.
Although the displayed order on firewall rules in places anti-lockout at the top this is not the actual order of processing.
#1 Updated by Chris Buechler over 4 years ago
- Category set to Rules / NAT
- Status changed from New to Confirmed
- Priority changed from Normal to Very Low
- Target version changed from 2.3 to 2.3.1
- Affected Version set to All
Yeah the order isn't ideal there. You're probably the only person in the world running block private or bogon on LAN. We'll re-order those post-2.3.
#2 Updated by NOYB NOYB over 4 years ago
LOL I'm not running block private or bogons on LAN. I was just looking at the firewall rules display order vs. the actual rules order and thought you know... if someone inadvertently turns that on, perhaps not realizing they are on the LAN interface page, they will get locked out. So I tried it and sure enough. Locked out.
#7 Updated by Ronald Antony over 4 years ago
Actually, that would be an easy thing for me to do: my entire LAN has public IPs, so in essence, that should be turned on (might actually be turned on.
Since the IPs are public, that should not be an issue in my case, unless I try to load my rules on another box for speeding up the configuration process, and then change the LAN IP...