Project

General

Profile

Bug #6031

Anti-Lockoug Rule Not Effective Against Canned Interface Block Rules

Added by NOYB NOYB over 1 year ago. Updated 10 days ago.

Status:
Confirmed
Priority:
Very Low
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
03/26/2016
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

The anti-lockout rule appears to be to low in the processing order to be effective against inadvertently enabling the canned rules of the interface.

For instance. Inadvertent enabling of the block private networks rule on the LAN interface (if it in using a private network address) will override the anti-lockout rule due to their order.

Although the displayed order on firewall rules in places anti-lockout at the top this is not the actual order of processing.

History

#1 Updated by Chris Buechler over 1 year ago

  • Category set to Rules/NAT
  • Status changed from New to Confirmed
  • Priority changed from Normal to Very Low
  • Target version changed from 2.3 to 2.3.1
  • Affected version set to All

Yeah the order isn't ideal there. You're probably the only person in the world running block private or bogon on LAN. We'll re-order those post-2.3.

#2 Updated by NOYB NOYB over 1 year ago

LOL I'm not running block private or bogons on LAN. I was just looking at the firewall rules display order vs. the actual rules order and thought you know... if someone inadvertently turns that on, perhaps not realizing they are on the LAN interface page, they will get locked out. So I tried it and sure enough. Locked out.

#3 Updated by Jim Thompson over 1 year ago

  • Assignee set to Chris Buechler

#4 Updated by Chris Buechler over 1 year ago

  • Target version changed from 2.3.1 to 2.3.2

#5 Updated by Chris Buechler about 1 year ago

  • Assignee deleted (Chris Buechler)

#6 Updated by Chris Buechler about 1 year ago

  • Target version changed from 2.3.2 to 2.4.0

#7 Updated by Ronald Antony about 1 year ago

Actually, that would be an easy thing for me to do: my entire LAN has public IPs, so in essence, that should be turned on (might actually be turned on.
Since the IPs are public, that should not be an issue in my case, unless I try to load my rules on another box for speeding up the configuration process, and then change the LAN IP...

#8 Updated by Renato Botelho 10 days ago

  • Target version changed from 2.4.0 to 2.4.1

Also available in: Atom PDF