On 03/05/2021 02:35, Kenneth Porter wrote:
--On Sunday, May 02, 2021 4:02 PM +0100 lejeczek via
Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
Not being an expert I expected that, on a Linux box, I
can firewall
'tun0' of ovpn server.
Using 'firewalld' it put 'tun0' into a dedicated zone and
selected a few
ports for access but it turns out that clients see all
ports as
accessible.
"All ports" of what? The OpenVPN server or the LAN/WAN
behind it? Until very recently, firewalld had little
support for gateways and forwarding, and OpenVPN
interfaces are normally routed to other interfaces using
the FORWARD table. firewalld mainly deals with the INPUT
table. So you might have to add some manual iptables rules
to FORWARD to get what you want. You might want to ask on
the firewalld list for assistance.
that in the question - tun0. 'tun0' in the zone, tun0's ports.
Yes I have "client-to-client" but like I said - ... firewall
'tun0' of ovpn server.
So I gather from what you guys say, that "firewalling" of
tun iface is possible and should work - then I'll have to
dig it bit deeper into 'firewalld', which typically is
pretty "use-ready-out-of-box" and simply if an iface is in a
zone with 'default' target and a port/service is not
specified in such zone then it's deemed closed.
many thanks, L.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
