I'm not certain what you're trying to accomplish.
Are you trying to allow SSH access to the OpenVPN server?
Your rich rule is using port 8080. Are you trying to forward 8080 to ssh (22)?
Are you trying to allow SSH access to a machine on the internal network that in behind the OpenVPN server?
On Thu, Mar 19, 2020 at 07:40:13PM +0100, Hans-Peter Jansen wrote:
Hi,
I try to tighten a OpenVPN setup.
It should result in a separate zone for tun0 (10.20.30.0/24), that allows ssh on the local net, which is in the external zone otherwise (192.168.78.0/24).
$ firewall-cmd --info-zone=external external (active) target: DROP icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client http https ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
$ firewall-cmd --info-zone=internal internal (active) target: default icmp-block-inversion: no interfaces: tun0 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="10.20.30.0/24" destination address="192.168.78.0/24" port port="8080" protocol="tcp" accept
Hence, it should allow routing ssh requests to eth0.
All experiments result in IN_external_DROPs, because this is defined as external, I guess.
Yes, I know, this setup is rather improper. It's a transient state on the way to proper separate internal and external network interfaces.
Any idea, how to archive this?
Thanks in advance, Pete
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...