Project

General

Profile

Bug #6031

Anti-Lockoug Rule Not Effective Against Canned Interface Block Rules

Added by NOYB NOYB about 1 year ago. Updated 9 months ago.

Status:
Confirmed
Priority:
Very Low
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
03/26/2016
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

The anti-lockout rule appears to be to low in the processing order to be effective against inadvertently enabling the canned rules of the interface.

For instance. Inadvertent enabling of the block private networks rule on the LAN interface (if it in using a private network address) will override the anti-lockout rule due to their order.

Although the displayed order on firewall rules in places anti-lockout at the top this is not the actual order of processing.

History

#1 Updated by Chris Buechler about 1 year ago

  • Category set to Rules/NAT
  • Status changed from New to Confirmed
  • Priority changed from Normal to Very Low
  • Target version changed from 2.3 to 2.3.1
  • Affected version set to All

Yeah the order isn't ideal there. You're probably the only person in the world running block private or bogon on LAN. We'll re-order those post-2.3.

#2 Updated by NOYB NOYB about 1 year ago

LOL I'm not running block private or bogons on LAN. I was just looking at the firewall rules display order vs. the actual rules order and thought you know... if someone inadvertently turns that on, perhaps not realizing they are on the LAN interface page, they will get locked out. So I tried it and sure enough. Locked out.

#3 Updated by Jim Thompson about 1 year ago

  • Assignee set to Chris Buechler

#4 Updated by Chris Buechler about 1 year ago

  • Target version changed from 2.3.1 to 2.3.2

#5 Updated by Chris Buechler 10 months ago

  • Assignee deleted (Chris Buechler)

#6 Updated by Chris Buechler 10 months ago

  • Target version changed from 2.3.2 to 2.4.0

#7 Updated by Ronald Antony 9 months ago

Actually, that would be an easy thing for me to do: my entire LAN has public IPs, so in essence, that should be turned on (might actually be turned on.
Since the IPs are public, that should not be an issue in my case, unless I try to load my rules on another box for speeding up the configuration process, and then change the LAN IP...

Also available in: Atom PDF