SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
|Anonymous | Login||2018-07-17 13:04 UTC|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004186||Endian Firewall||Firewall (iptables)||public||2011-10-13 14:40||2015-07-29 09:17|
|Target Version||Fixed in Version|
|Summary||0004186: VPN firewall "username" rules not applied when changing IP|
|Description||If we have a user (connected as VPN Client) on our OpenVPN called i.e "bob" and make a rule with restrictions based on the username, if bob IP's changes the rules (firewall restrictions) are not anymore applied for him.|
Somehow, the openvpn should realize this change and reupdate the iptables rules in order to block the new IP...
The best way to do this in my opinion and to make a permanent fix for this is instead of restricting the IP should restrict the MAC Address with ebtables.
|Additional Information||This can be reproduced changing the client IP manually.|
the problem is that, at least on my pc, all the time I disconnect and reconnect the vpn, my tap interface has a different mac address, so we cannot use the MAC address as a solution. :(
Thanks a lot
yep was a quick thought, I forgot about the tap interface in the middle of the hole thing.
tap interface by default in openvpn has a random mac address.
This behaviour can be changed if needed and mac address can be statically defined.
what do you mean by bob's ip changes? if he manually changes the ip-address assigned by the openvpn server?
then yes.. this will happen.
otherwise,,. firewall scripts will resolve the assigned ip addresses for each openvpn username, whenever the scripts are started.
if you start the firewall scripts, manually.. does this solve the problem?
could it be that the firewalls somehow are not triggered anymore when a user connects to the openvpn server?
I think iptables rules are changed automatically when a client connects/disconnects..
Can you change the ip provided by openvpn?
|with bob it's meant the VPN user connected to our VPN, if he changes his IP manually than can browse without restrictions in the VPN network.|
|2011-10-13 14:40||ardit-endian||New Issue|
|2011-10-13 14:40||ardit-endian||Tag Attached: purple|
|2011-10-13 14:42||ardit-endian||Description Updated|
|2011-10-13 15:58||ardit-endian||Summary||VPN firewall "username" rules not applied when changin IP => VPN firewall "username" rules not applied when changing IP|
|2011-10-14 13:01||lorenzo-endian||Note Added: 0007496|
|2011-10-14 15:20||ardit-endian||Note Added: 0007497|
|2011-11-17 14:37||luca-endian||Note Added: 0007540|
|2011-11-17 14:51||peter-endian||Note Added: 0007541|
|2011-11-17 15:08||luca-endian||Note Added: 0007545|
|2011-11-17 15:12||ardit-endian||Note Added: 0007546|
|2015-07-29 09:17||Anonymous||Note Added: 0008555|
|2015-07-29 09:17||Anonymous||Status||new => closed|
|2015-07-29 09:17||Anonymous||Resolution||open => fixed|
|Copyright © 2000 - 2012 MantisBT Group|