[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Fri Mar 14 21:20:43 CET 2014


Jason,

I think all the info you need is in this thread,  if you treat tun0 (or tun+) as a INT_IF, etc. .

I don't think OpenVPN would 'short-circuit' any forward paths, though there are some client to client rules in OpenVPN IIRC.

Give it a shot, and if there are specific issues with specific tests, ask again.

Lonnie


On Mar 14, 2014, at 2:08 PM, Jason Stahls wrote:

> Lonnie,
> 
> This box's primary purpose is actually web/mail/db server, it is also the center of a PtMP OpenVPN network.
> 
> IPv4 is all off-net, each site uses their local provider for general Internet.  IPv6 is all allocated out of the /48 I get from my hosting provider so it's all routed back through the OpenVPN links and jumps to the rest of the Internet through this box.  I want to open 22,25,53,80,ect for the computer on it's external interface but still block those ports forwarding through to the internal tun+ interface.  Do I do this via a NAT forward to one of the internal interface IP's, or a forward to the external interface, or? :)  I do have NAT enabled for PPTP clients (kinda round about but gets me on US Netflix) and I've set NAT_INTERNAL_NET to just the PPTP range.
> 
> Thanks,
> 
> Jason
> 
> On 3/14/2014 10:46 AM, Lonnie Abelbeck wrote:
>> Jason,
>> 
>> A couple more 'tips'...
>> 
>> For IPv4 NAT Forwarding use:
>> 
>> NAT_FORWARD_TCP (or _UDP or _IP)
>> 
>> For IPv6 (or routed IPv4) Forwarding use:
>> 
>> INET_FORWARD_TCP (or _UDP or _IP)
>> 
>> "Any" Host values:
>> 
>> 0.0.0.0/0 - Any IPv4 Address
>> 
>> ::/0 - Any IPv6 Address
>> 
>> 0/0 - Any IPv4 or IPv6 Address (unless source or destination is qualified as IPv4 or IPv6)
>> 
>> Lonnie
>> 
>> 
>> On Mar 14, 2014, at 9:23 AM, Wijatmoko U. Prayitno wrote:
>> 
>>> Use variable HOST_OPEN_UDP or HOST_OPEN_TCP
>>> 
>>> On Fri, 14 Mar 2014 10:18:44 -0400
>>> Jason Stahls <jason at justuscare.ca> wrote:
>>> 
>>>> I still haven't quite figured out what I've done, but I decided to
>>>> start with a fresh config instead. How can I open ports for just the
>>>> host? From my understanding of the comments using OPEN_TCP/UDP/IP
>>>> will cause it to forward and not block those ports right?
>>>> 
>>>> Thanks,
>>>> 
>>>> Jason
>>>> 



More information about the Firewall mailing list