On 12/29/2017 3:59 AM, Wojciech ?ysiak wrote:> firstly check which zone are your interface in : > > bash> firewall-cmd --get-active-zones > > then all you have to do is add a service to the firewall > > firewall-cmd --zone=<INSERT YOUR ZONE> --add-service=openvpn --permanent > > assuming that your Openvpn is running on standard port 1194/tcp|udp, > If not then modify firewall-cmd rule and add your port/proto > > e.g. > firewall-cmd --zone=<INSERT YOUR ZONE> --add-port=11193/tcpThat opens the physical Ethernet interface to allow the raw SSL connection from the client into the server. It doesn't open a connection for the tunnel (tun0 interface) that's been created by the OpenVPN service to forward packets to the internal LAN zone. I tried adding the tun0 interface to the internal zone and firewall-cmd told me tun0 was managed by NetworkManager. After that it didn't show tun0 as a member of any zone. #? firewall-cmd --zone=internal --add-interface=tun0 The interface is under control of NetworkManager, setting zone to 'internal'. success # firewall-cmd --list-all-zones (long list of zones, none of which have tun0 in their interfaces field)
> I tried adding the tun0 interface to the internal zone and firewall- > cmd?told me tun0 was managed by NetworkManager. After that it didn't > show?tun0 as a member of any zone. > #? firewall-cmd --zone=internal --add-interface=tun0 > The interface is under control of NetworkManager, setting zone to? > 'internal'. success > # firewall-cmd --list-all-zones > (long list of zones, none of which have tun0 in their interfaces > field)I am experiencing the same thing getting IPSec protected GRE packets to the gre1 interface. It works with the firewall disabled; haven't been able to figure out how to make it work with the firewall enabled. firewall-cmd allows me to add the interface, but then forgets about it. -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
> I am experiencing the same thing getting IPSec protected GRE packets > to the gre1 interface. > It works with the firewall disabled; haven't been able to figure out > how to make it work with the firewall enabled. > firewall-cmd allows me to add the interface, but then forgets about > it.While I cannot reference the interface in a firewall rule I have been able to get the tunnel operational using: ? firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT see the thread - "Libreswan IPSec Protected GRE Tunnel & firewall-cmd" -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Reasonably Related Threads
- OpenVPN server and firewalld
- Libreswan IPSec Protected GRE Tunnel & firewall-cmd
- Persisting Routes In A Routing Table Other Than The Default
- Persisting Routes In A Routing Table Other Than The Default
- "Unable to fetch value for secret ..., are we an undetected RODC?"