I'm not certain what you're trying to accomplish.
Are you trying to allow SSH access to the OpenVPN server?
Your rich rule is using port 8080. Are you trying to forward 8080 to ssh
(22)?
Are you trying to allow SSH access to a machine on the internal network
that in behind the OpenVPN server?
On Thu, Mar 19, 2020 at 07:40:13PM +0100, Hans-Peter Jansen wrote:
Hi,
I try to tighten a OpenVPN setup.
It should result in a separate zone for tun0 (10.20.30.0/24), that allows ssh
on the local net, which is in the external zone otherwise (192.168.78.0/24).
$ firewall-cmd --info-zone=external
external (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --info-zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.20.30.0/24" destination
address="192.168.78.0/24" port port="8080" protocol="tcp"
accept
Hence, it should allow routing ssh requests to eth0.
All experiments result in IN_external_DROPs, because this is defined as
external, I guess.
Yes, I know, this setup is rather improper. It's a transient state on the way
to proper separate internal and external network interfaces.
Any idea, how to archive this?
Thanks in advance,
Pete
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...