> PPTP rules (TCP 1723 and GRE) are automatically added and allowed on
> all interfaces. If you're talking about access to/from PPTP clients,
> you need to add firewall rules on the PPTP interface.
That makes perfect sense, it's a nice timesaver. I've added the needed
firewall rules on the PPTP interface.
> > dc0 is the optional interface and 10.0.0.0/8 catches the networks
> > included in the city lan. I've set a static route to them and that
> > probably added those rules.
> > I removed the static route and the firewall entries were indeed
> > removed too. I guess I'm in trouble.
> > I'm confused, is that a bug or a feature?
> What's the IP and subnet on the OPT interface?
> Those rules are added for a reason, but the reason escapes me at the
> moment. (the answer to the above might refresh my memory) The
> behavior was changed in newer versions (assuming you're using 1.11)
> because incorrect or unnecessary static routes would mess up
The address of the OPT interface is 10.1.180.95/25.
I don't know what could possibly be the reason to open such a large
hole in the firewall based on the existence of the static route alone.
It might be useful in some specific scenario, for example multiple
internal networks. I'm glad you removed it in the later versions.
As a temporary solution I've added /32 static routes to the individual
hosts that connect through PPTP. I guess I'll have to update to the
latest version to solve the problem completely.
My opinions may have changed, but not the fact that I am right.