Unless you want to prevent that the VPN tunnel partners have access to the web interface, the following iptables rules in /etc/sysconfig/firewall.local can be adjusted.
For example with a /24 subnet Mask (255.255.255.0):
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
# Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
/sbin/iptables -A CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
;;
stop)
## add your 'stop' rules here
# Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
/sbin/iptables -D CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
After a:
/etc/sysconfig/firewall.local reload
the rules should then also be active.
In case ICMP should be blocked by the firewall, some things needs to be regarded. ICMP types 0, 3, 8 and 11 should be opened, otherwise connection problems can appear.
Older Revisions • December 9, 2019 at 11:35 pm • Jon