diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index b08840c2f..9912e4936 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -79,3 +79,5 @@ Changes since 2.0.3 37) Fixed proxy arp flag setting for complex configurations. 38) Added RETAIN_ALIASES option. + +39) Relax OpenVPN source port restrictions. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index e69498247..628a192a6 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -527,7 +527,14 @@ source_ip_range() # $1 = Address or Address Range { case $1 in *.*.*.*-*.*.*.*) - iprange_echo "--src-range $1" + case $1 in + !*) + iprange_echo "! --src-range ${1#!}" + ;; + *) + iprange_echo "--src-range $1" + ;; + esac ;; *) echo "-s $1" @@ -542,7 +549,14 @@ dest_ip_range() # $1 = Address or Address Range { case $1 in *.*.*.*-*.*.*.*) - iprange_echo "--dst-range $1" + case $1 in + !*) + iprange_echo "! --dst-range ${1#!}" + ;; + *) + iprange_echo "--dst-range $1" + ;; + esac ;; *) echo "-d $1" @@ -1608,8 +1622,8 @@ setup_tunnels() # $1 = name of tunnels file ;; esac - addrule $inchain -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT - addrule $outchain -p udp $(dest_ip_range $1) --sport $p --dport $p -j ACCEPT + addrule $inchain -p udp $(source_ip_range $1) --dport $p -j ACCEPT + addrule $outchain -p udp $(dest_ip_range $1) --dport $p -j ACCEPT progress_message " OPENVPN tunnel to $1:$p defined." } diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 4e85ea208..b0ae50b11 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -406,7 +406,9 @@ New Features: changed. 8) To improve interoperability, tunnels of type 'ipsec' no longer - enforce the use of source port 500 for ISAKMP. + enforce the use of source port 500 for ISAKMP and OpenVPN + tunnels no longer enforce use of the specified port as both the + source and destination ports. 9) A new 'allowBcast' builtin action has been added -- it silently allows broadcasts and multicasts.