Block service over VPN Tunnel with firewall

sharpec · 2018-03-13 16:06:52 UTC

NethServer Version: NethServer release 7.4.1708 (Final)
Module: firewall

Good evening to everyone,
I have several active vpn tunnels, they all point to a server I have in the company.
I would like the basic services to pass (tcp 80 3306 5900) but I would like to avoid all the rest of the traffic.

I’m trying various rules, but I can not stop anything

I’ve created this specific rule, but it continues to pass everything from ping to web traffic
singolo ip
in object elementary i have insert ip 192.168.1.210 (local)
in object nasvpn3 i have insert ip 192.168.3.100 (remote vpn)

i have try to move at top or bottom of list, but nothing.

the external ip block worked perfectly, but with hosts or networks in vpn I can not.

it should be simple enough … what am I wrong?

mrmarkuz · 2018-03-13 17:15:40 UTC

I don’t have vpn running so I can’t test it but I found a vpn role in the firewall settings:

grafik

Maybe it works with role vpn as source and your firewall objects as destination.

sharpec · 2018-03-14 07:13:36 UTC

Yes @mrmarkuz, I know that there is the role vpn, I tried in the past to create the rules. allowing safe traffic first and then blocking everything that comes from vpn.

http://shorewall.net/manpages/shorewall-rules.html

it actually works.

I do not understand why it did not work with direct IP, perhaps because I did not specify the zone?

and anyway, I have some tunnels where I want to limit even more the services, and I will add others with time.
I do not want to publish mysql on all tunnels, in this case it makes no distinction

but above all, so I also block the ping! that would be handy for me to have