Assuming the public zone is the only active zone, IMO that should be sufficient.

The permanent firewall is what is restored (brought up) when boot-up occurs so you could --remove-service openvpn in the run-time instance if you note a problem in openvpn and run firewall-cmd --complete-reload (disconnects any hanging connections) to allow the permanent firewall to take effect when the problem is fixed (Or maybe just reboot).

The drop zone drops everything anyway and appears not active so doesn't act in this scope.

Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
http://www.maplepark.com/

If IP addresses weighed one gram each:

IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths

I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.

On Sun, Sep 11, 2016 at 9:38 PM, Jake Trader <longid@fedoraproject.org> wrote:

Thank you for the reply, David.
My goal here is to prevent any leakage should there be an unexpected disconnection in openvpn. I hear you can solve this by configuring firewall to kill all traffic when openvpn fails.

So far all I've done is to type from public zone (default):
# firewall-cmd --add-service openvpn
# firewall-cmd --permanent --add-service openvpn
# firewall-cmd --add-masquerade
# firewall-cmd --permanent --add-masquerade
# reboot

Should I have done above in the drop zone???
I am clueless as to what I'm doing. lol Help please.

_______________________________________________
firewalld-users mailing list
firewalld-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahosted.org