CentOS - May 2015 - openvpn and firewalld

I am trying to build a new openvpn server based on CentOS7. Everything 
is working fine as long as I disable firewalld.  With firewalld enabled, 
I can connect to the vpn and ping the machines on the network, but I am 
unable to ssh to them.

What I had on my old server with iptables was two simple rules:

-A RH-Firewall-1-INPUT -s <localnet>/255.255.0.0 -d
<vpnnet>/255.255.0.0
-j ACCEPT
-A RH-Firewall-1-INPUT -s <vpnnet>/255.255.0.0 -d
<localnet>/255.255.0.0
-j ACCEPT

This allowed all traffic to flow between my vpn subnet and the local 
network.  How can I duplicate this behavior with firewalld?

I even tried using the --direct option to put in these same rules 
without success.  Although I may not have done it quite right -- 
firewalld seems to have added 20 extra chains to the rule structure and 
I'm not sure exactly where I should put these rules.

Unfortunately, I cannot easily debug this while I'm at the office, but 
if you can give me any suggestions, I can try them out when I get home 
tonight.

Thanks!

-- 
Bowie

On 5/8/2015 9:34 AM, Bowie Bailey wrote:
> I am trying to build a new openvpn server based on CentOS7. Everything 
> is working fine as long as I disable firewalld.  With firewalld 
> enabled, I can connect to the vpn and ping the machines on the 
> network, but I am unable to ssh to them.
>
> What I had on my old server with iptables was two simple rules:
>
> -A RH-Firewall-1-INPUT -s <localnet>/255.255.0.0 -d 
> <vpnnet>/255.255.0.0 -j ACCEPT
> -A RH-Firewall-1-INPUT -s <vpnnet>/255.255.0.0 -d 
> <localnet>/255.255.0.0 -j ACCEPT
>
> This allowed all traffic to flow between my vpn subnet and the local 
> network.  How can I duplicate this behavior with firewalld?
Replying to myself here, I finally figured out how to do it with direct 
rules.  Firewalld on CentOS 7 defaults to a drop rule for the FORWARD 
chain which my previous server didn't have.  So I needed to put the 
rules in the FORWARD chain rather than the INPUT chain.

The rules may not have been necessary on the old server since FORWARD 
defaulted to accept, but they would have worked anyway because the 
RH-Firewall-1-INPUT chain was referenced by both the INPUT and FORWARD 
chains.

I'm still trying to sort out how to do this using firewalld's normal or 
rich rules.  So far, no success.  I'm not sure how to affect the FORWARD 
chain with firewalld.

Right now, I have:

# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -s <localnet>/255.255.0.0 -d
<vpnnet>/255.255.0.0
-j ACCEPT
ipv4 filter FORWARD 0 -s <vpnnet>/255.255.0.0 -d
<localnet>/255.255.0.0
-j ACCEPT

So how can I duplicate this behavior without using direct rules?

-- 
Bowie