firewalld settings for OpenVPN with https, ssh, and smtp
You haven't added your tun0
device to any zone, so it defaults to the default
zone, which in your case is the public
zone.
As root, run:
firewall-cmd --zone=internal --add-interface=tun0
You can then leave ssh
and https
enabled in the internal
zone and disable it in the public
zone.
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT over 1 year
I am configuring a remote CentOS 7 webapp server to wrap
https
andssh
inside OpenVPN, while keepingsmtp
running outside of OpenVPN. I notice that, when I establish an OpenVPN connection from a Windows 7 Client using SecurePoint, I am only able to successfully connect tohttps : / / 10.8.0.1
and tossh [email protected]
whenhttps
andssh
are enabled BOTH in the public zone and in the private zone of firewalld. This seems wrong because all the OpenVPN activity should be running through port 1192. So how should I configurefirewalld
so thathttps
andssh
are only allowed inside the VPN, but so thatsmtp
can still function outside the VPN?The output of
sudo firewall-cmd --list-all-zones
is as follows. What should I remove from the following configuration, and what should I add to it to accomplish the goals stated in paragraph 1 above? Are there zones below from whom everything should be removed?block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: drop interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal interfaces: sources: services: dhcpv6-client https ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject public (default, active) interfaces: enp3s0 sources: services: dhcpv6-client https openvpn ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: trusted interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
-
garethTheRed about 9 yearsI know hindsight is great, but may I suggest that you only test with
https
leavingssh
open on thepublic
until everything works fully? It sounds as if you've now configured the services/zones correctly, but are still suffering issues withopenvpn
. Did you try connecting with a CentOS client? -
RabT about 9 years
https : / / 10.8.0.1
seems to work now after the hosting company re-instatedssh
in the public zone. I am reviewing the commands I typed, and they do not include areload
command. Do you think the problem may have been due to my not re-loading the firewall after adding thetun
device? Also,ssh
is working through the VPN now after I removedhttps
from the public zone. I had to changeserver.conf
to create aroute
for the administrator ip address so that the assigned ip address is no longer blocked by therich rule
in the firewall. Thank you and +1 for helping me find my way. -
RabT about 9 yearsWhile we are still here for a moment, are you willing to please scan through the firewalld config in my OP and point out things that I can delete/remove, given my use case? For example,
ssh
is enabled in thedmz
,external
,home
, andwork
zones, in addition to theinternal
zone. I have removedssh
andhttps
from thepublic
zone, but I am not sure what else I can safely remove. I would like a minimalist installation. -
garethTheRed about 9 years@CodeMed - There is no need to remove any services from zones that aren't in use (that is, don't have an interface allocated to them). Therefore you can leave
home
,dmz
etc alone. On thepublic
zone you want to remove everything barsmtp
(and possiblyssh
for now). I'm assuming that the mail server is out-going only and you don't have a need forpop3
orimap
. On theinternal
zone, all you need isssh
andhttps
. -
garethTheRed about 9 years@CodeMed - When you're 'experimenting' remotely with the firewall, do not use the
--permanent
option until you're certain your changes have worked. Without the option, settings are temporary and will not survive a reboot. If your service provider provides a web based interface to reboot, you can use that to reboot and return to your original config. If they don't then runshutdown -r +15
as root to reboot in 15 minutes. If your changes lock you out, you'll be able to log back in in 15 minutes. If they don't lock you out, runshutdown -c
as root to cancel the reboot.