I have an openvpn server set up on a Centos 7 box running firewallD. It seems to be working well except for one problem.
Client (etho 192.168.1.x, tun0 10.201.0.6) ———————————>VpnServer (enp4s0 faces internet, enp3s0 internal with 10.200.0.1/16 and tun0 internal with 10.201.0.1/16)
Connection from Client -> VpnServer — Good
Client ping —> both 10.200.0.1 and 10.200.0.10 — Good
Client ssh —> 10.200.0.1 — Good
Client ssh —> to another server on the 10.200.0.0/16 network — connection refused
On the VpnServer I have enp4s0 in the external zone
enp3s0 and tun0 in the internal zone along with ssh turned on on the internal zone
Here is my routing table on the VpnServer (public ip obscured)
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 207-xxx-xxx-169 0.0.0.0 UG 0 0 0 enp4s0
default 10.200.0.1 0.0.0.0 UG 0 0 0 enp3s0
10.200.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp3s0
10.201.0.0 10.201.0.2 255.255.255.0 UG 0 0 0 tun0
10.201.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
207.xxx.xxx.168 0.0.0.0 255.255.255.248 U 0 0 0 enp4s0
I’m not sure if its a routing issue or a firewall issue (I’m leaning towards the latter) but when I turn off firewalld, everything seems to work ok.
Anybody have any clues or insight?
Thanks in advance
I noticed the following strange behavior when configuring my firewall
$ firewall-cmd -q --permanent --zone=public --add-interface=br0
$ firewall-cmd -q --zone=public --remove-interface=br0
$ firewall-cmd -q --zone=external --add-interface=br0
$ firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'external' :
org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: br0
My understanding of the --runtime-to-permanent option from the manpage
is that it will simply replace the previous permanent configuration with
the runtime one so it should simply ignore the previous permanent
configuration. Am I reading the manpage wrong?
I am happy to be able to announce the new firewalld 0.4.0 release with
amazing new features like ipset support, MAC address support, logging of
denied packets, enhancements and speed ups.
The main changes are
The load, reload, restart and stop of firewalld ha sbeen sped up a lot
by enabling the use of the restore commands of iptables, ip6tables and
ebtables. Rules are now applied in bigger chunks, which speeds up all
actions of firewalld that are changing firewall rules in netfilter.
The new setting IndividualCalls has been added to firewalld.conf. The
setting defaults to no, which enabled the use of the restore commands.
The use of the restore commands might not fit all needs and is also
resulting in less detailed error messages. Additionally the restore
commands are not supporting the locking mechanisms. If the use of the
restore commands is not possible for the use case, then the
IndividualCalls settiung should be enabled.
The use of ebtables-restore is limited to future versions, that will
support the –noflush option. This option has already been added to the
upstream git repository, but is not part of a release, yet.
ipsets can now be used as zone bindings and also in rich rules.
firewalld supports initially the use of hash:ip, hash:net and hash:mac
types. The use of ipsets with timeout is also possible, but the entries
in the ipset then need to be taken care directly with ipset.
For simple black and white listing the use of ipsets is recommended
altogether with rich rules.
MAC address support
MAC addresses can now also be used directly for zone bindings and in
rich rules. A use of MAC addresses in ipsets is also possible.
Log of denied packets
The new LogDenied setting has been added to firewalld.conf. It can be
altered with the command line tools and also firewall-config.
If LogDenied is enabled, logging rules right before reject and drop rules in
the INPUT, FORWARD and OUTPUT chains for the default rules and also
final reject and drop rules in zones. Possible values for LogDenied are:
all, unicast, broadcast, multicast and off.
Mark action in rich rules
With the mark action it is now possible to mark packets matching the
rich rule parameters.
The mark action results in -j MARK –set-xmark <mark> in the PREROUTING
chain in the mange table to be able to affect routing with iproute.
Enhanced alteration of config files with command line tools
The permanent zone, service, icmptype and ipset config files can now
directly be edited with the command line tools firwall-cmd and
Use of zone chains in direct interface
The use of zone specific log, deny and allow chains is now possible in
direct rules and tracked passthrough rules.
The needed parts of the zone structure are created on reload if one of
the zone chains is used in the direct interface. The remaining parts of
the zone are created as soon as it is used with a binding of if it is
the default zone.
The firewall-applet has been further extended after the Qt migration and
now supports the same functionality as the Gtk version before and even a
It provides now a global settings file in /etc/firewall/applet.conf and
also a user settings file in $HOME/.config/firewall/applet.conf
The services ceph-mon, ceph, docker-registry, imap, pop3, pulseaudio,
smtps, snmptrap, snmp, syslog-tls and syslog have been added.
There are also several bug fixes and further code optimizations.
The new firewalld version 0.4.0 is available here:
Also on github:
And in the github repository: