我正在配置一个远程 CentOS 7 webapp 服务器来包装https并ssh位于 OpenVPN 内部,同时保持smtp在 OpenVPN 外部运行。我注意到,当我使用 SecurePoint 从 Windows 7 客户端建立 OpenVPN 连接时,我只能在防火墙的公共区域和私有区域中启用https : / / 10.8.0.1 和时才能成功连接。这似乎是错误的,因为所有 OpenVPN 活动都应该通过端口 1192 运行。 ssh [email protected]httpsssh那么我应该如何配置firewalld,以便https和ssh只允许在 VPN 内部使用,但仍然smtp可以在 VPN 外部运行?
的输出sudo firewall-cmd --list-all-zones如下。 我应该从以下配置中删除什么,以及应该添加什么才能实现上面第 1 段中所述的目标? 下面是否有一些区域的所有东西都应该被移除?
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
drop
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
external
interfaces:
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
internal
interfaces:
sources:
services: dhcpv6-client https ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject
public (default, active)
interfaces: enp3s0
sources:
services: dhcpv6-client https openvpn ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
trusted
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
答案1
您尚未将tun0设备添加到任何区域,因此它默认为该default区域,在您的情况下就是该public区域。
以 root 身份运行:
firewall-cmd --zone=internal --add-interface=tun0
然后,您可以离开ssh并https在该internal区域中启用它,并在该区域中禁用它public。