OpenVPN refinements
by Hans-Peter Jansen
Hi,
I try to tighten a OpenVPN setup.
It should result in a separate zone for tun0 (10.20.30.0/24), that allows ssh
on the local net, which is in the external zone otherwise (192.168.78.0/24).
$ firewall-cmd --info-zone=external
external (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --info-zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.20.30.0/24" destination
address="192.168.78.0/24" port port="8080" protocol="tcp" accept
Hence, it should allow routing ssh requests to eth0.
All experiments result in IN_external_DROPs, because this is defined as
external, I guess.
Yes, I know, this setup is rather improper. It's a transient state on the way
to proper separate internal and external network interfaces.
Any idea, how to archive this?
Thanks in advance,
Pete
3 years, 12 months
I dont know to configure my firewalld to give processor power to
Coronavirus research with boinc manager
by Srikanth Hannabeprakash
can anyone please tell me what should I do in order to give my processor capability using boinc manager by allowing it bypass my firewall? This firewall isn't helping me connect to the boinc manager. How should I configure my firewalld to let boinc manager access my computer's hardware space and computing utilities? There are many people who want to get speed for their systems that do distributed data work on proteins and disease analysis. I want some people to help me configure my system to release its computing capabilities to our scientists and doctors out there searching for a cure to Coronavirus. I use KDE plasma desktop on Fedora Scientific spin based on Fedora 29. My system in 4GB RAM and 4GB with the following system config: 5.3.11-100.fc29.x86_64
In fact the block devices info is as follows:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 149.1G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 148.1G 0 part
├─fedora-root 253:0 0 50G 0 lvm /
├─fedora-swap 253:1 0 3.9G 0 lvm [SWAP]
└─fedora-home 253:2 0 94.1G 0 lvm /home
sdb 8:16 0 465.8G 0 disk
├─sdb1 8:17 0 73.2G 0 part /run/media/srikanth/Arts
├─sdb2 8:18 0 73.2G 0 part /run/media/srikanth/Russian
├─sdb3 8:19 0 146.5G 0 part /run/media/srikanth/Reposoft
└─sdb4 8:20 0 172.8G 0 part /run/media/srikanth/engineering
sr0 11:0 1 1024M 0 rom
sr1 11:1 1 14.2M 0 rom
4 years
Capture FINAL_REJECT and STATE_INVALID_DROP packages
by Hans-Peter Jansen
Hi,
do you know a method to capture the packages before they are discarded?
I do see a couple of "interesting" packages, that I would like to examine a
bit further (e.g. with wireshark)
The usual way would be using ulogd, but according to gh#268 https://
github.com/firewalld/firewalld/issues/268, this is out of scope ATM.
When looking into the source, a general implementation seems pretty straight
forward, with the most work being configuration/interfaces, but of course,
this will raise questions of scatter logging into the ruleset everywhere
<shrug>, proper testing, etc.
# LogTarget
# Define alternate logging target, eg. ULOG, NFLOG
# Default: LOG
LogTarget=LOG
# LogPrefixOption
# Log prefix option, eg. --nflog-prefix, --ulog-prefix
# Default: "--log-prefix"
LogPrefixOption="--log-prefix"
# LogTargetOptions
# Options for alternate logging target, eg. --nflog-group 32
# Default: ""
LogTargetOptions=
When making firewalld ulogd aware (ULOG, NFLOG), we could hardcode the
LogPrefixOption, and simply call LogTargetOptions LogTargetGroup.
Opinions?
Cheers,
Pete
4 years
Request for clarification
by Hans-Peter Jansen
Hi,
after some intensive hours of dealing with switching an important system to
firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some
clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed
$ firewall-cmd --info-zone external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth1
services: dns http https ssh
masquerade: yes
forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2
port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2
icmp-blocks: *almost all*
rich rules:
rule family="ipv4" source address="213.167.161.0/26" destination
address="192.168.2.2/32" port port="15060" protocol="udp" accept
rule family="ipv4" source address="213.167.162.0/26" destination
address="192.168.2.2/32" port port="15060" protocol="udp" accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard
SIP port here and try to block all accesses, that didn't derive from my
provider. If forward ports and rich rules are combined, is the rich rule
effective before forwarding (using the iptables backend)? Given it is, would
this hold true with the nftables backend as well?
Thanks,
Pete
4 years