6 thoughts on - FirewallD Issue

• What host serves the VPN? If it’s another host, how is that host connected to the router? If it’s “chamber,” what type of VPN is it?

• It’s OpenVPN on chamber.

  I’ve just noticed that it’s similiar from home to the other location. To clear things: 10.0.49.0/26 it’s my home network
  10.0.32.0/22 is one of VLANs in work (“the other location”).

  From chamber:

  [root@chamber ~]# nmap 10.0.32.7

  Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST
  Nmap scan report for 10.0.32.7
  Host is up (0.053s latency).
  Not shown: 988 closed ports
  PORT STATE SERVICE
  21/tcp open ftp
  25/tcp open SMTP
  80/tcp open http
  110/tcp open pop3
  111/tcp open rpcbind
  143/tcp open imap
  389/tcp open ldap
  443/tcp open https
  993/tcp open imaps
  995/tcp open pop3s
  2049/tcp open nfs
  5666/tcp open nrpe

  Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds

  From other host in home network:

  [moonwolf@kazad ~]$ nmap 10.0.32.7

  Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 22:12 CEST
  Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds

  When i move enp1s0 (external interface) to “home” zone, everything works fine.

  My observations:

  * When enp1s0 and tun0 (VPN interface) are both in “external” zone i’m able to scan ports of work’s network from home. But not the opposite:
  [root@palpatine ~]# nmap 10.0.49.16

  Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-21 22:26 CEST
  Nmap scan report for 10.0.49.16
  Host is up (0.039s latency). All 1000 scanned ports on 10.0.49.16 are filtered

  Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds

  * When enp1s0 is in “external” zone (as only interface), and tun0 is in
  “home” zone i can’t scan ports in home nor work.

  * When all interfaces are in “home” zone i can scan ports everywhere.

  It’s a bit chaotic, i know. Sorry about that.

• What port is it using? I don’t see the standard port listed in your firewalld rules in either zone.

  Also, you probably should specify tun+ instead of tun0, even if you think there will only be one tunnel up at any given time.

• 1194/udp. I added service openvpn and port 1194/udp (just to be sure) to both zones – no change.

  [root@chamber openvpn]# firewall-cmd –list-all home (default, active)
  interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1
  sources:
  services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs openvpn samba samba-client VNC-server
  ports: 143/tcp 26666/tcp 1194/udp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

  [root@chamber openvpn]# firewall-cmd –list-all –zone=external external (active)
  interfaces: enp1s0
  sources:
  services: openvpn
  ports: 26666/tcp 1194/udp
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

  Specify where?

  Despite the fact than i can’t scan their ports, i’m able to ping those hosts.

  Maybe it’s not firewalld related? I can scan ports from chamber (home router). I’ll try tcpdump maybe, to see what is going on with packets?

• Hi Marcin, Please check your openvpn config file of Port number then check your firewalld config on the same port allowed or not.

• firewall-cmd –zone=home –add-interface=tun+

  Beyond that, I can’t really tell what firewalld is doing with forwarded traffic from the output you’ve given, just the incoming traffic. It might be more clear to just post the output of “iptables -L -vn”
  somewhere. https://paste.fedoraproject.org/ maybe