Hello,
I cannot setup firewall for OpenVPN. I don't know where is problem. Only way to make VPN working is stop IPFW via
Here is OpenVPN config:
Here is IPFW list (OpenVPN listen on port UDP 9066):
I cannot setup firewall for OpenVPN. I don't know where is problem. Only way to make VPN working is stop IPFW via
service ipfw stop
. Can someone help me to set correct IPFW rules please?Here is OpenVPN config:
Code:
port 9066
proto udp4
dev tun
server 10.8.0.0 255.255.255.0
topology subnet
push "dhcp-option DNS 10.8.0.6"
push "dhcp-option DNS 10.8.0.3"
push "route 10.0.0.0 255.255.255.0"
ifconfig-pool-persist ipp.txt 0
user nobody
group nobody
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
max-clients 10
keepalive 10 120
status openvpn-status.log
;remote-cert-tls client
comp-lzo
client-to-client
persist-key
persist-tun
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
Here is IPFW list (OpenVPN listen on port UDP 9066):
Code:
00009 deny ip from table(1) to any
00010 allow ip from any to any via lo0
00101 check-state :default
00110 allow tcp from me to any dst-port 53 out via vmx0 setup keep-state :default
00111 allow udp from me to any dst-port 53 out via vmx0 keep-state :default
00200 allow tcp from any to any dst-port 80 out via vmx0 setup keep-state :default
00220 allow tcp from any to any dst-port 443 out via vmx0 setup keep-state :default
00230 allow tcp from any to any dst-port 25 out via vmx0 setup keep-state :default
00231 allow tcp from any to any dst-port 465 out via vmx0 setup keep-state :default
00232 allow tcp from any to any dst-port 587 out via vmx0 setup keep-state :default
00238 allow ip from any to any dst-port 9066 in via vmx0 setup keep-state :default
00239 allow ip from any to any dst-port 9066 out via vmx0 setup keep-state :default
00240 allow ip from any to any via tun0
00250 allow icmp from any to any out via vmx0 keep-state :default
00260 allow tcp from any to any dst-port 37 out via vmx0 setup keep-state :default
00270 allow udp from any to any dst-port 123 out via vmx0 keep-state :default
00299 deny log ip from any to any out via vmx0
00300 deny ip from 192.168.0.0/16 to any in via vmx0
00301 deny ip from 172.16.0.0/12 to any in via vmx0
00302 deny ip from 10.0.0.0/8 to any in via vmx0
00303 deny ip from 127.0.0.0/8 to any in via vmx0
00304 deny ip from 0.0.0.0/8 to any in via vmx0
00305 deny ip from 169.254.0.0/16 to any in via vmx0
00306 deny ip from 192.0.2.0/24 to any in via vmx0
00307 deny ip from 204.152.64.0/23 to any in via vmx0
00308 deny ip from 224.0.0.0/3 to any in via vmx0
00310 allow icmp from any to any in via vmx0
00315 deny tcp from any to any dst-port 113 in via vmx0
00320 deny tcp from any to any dst-port 137 in via vmx0
00321 deny tcp from any to any dst-port 138 in via vmx0
00322 deny tcp from any to any dst-port 139 in via vmx0
00323 deny tcp from any to any dst-port 81 in via vmx0
00330 deny ip from any to any frag in via vmx0
00332 deny tcp from any to any established in via vmx0
00400 allow tcp from any to me dst-port 80 in via vmx0 setup limit src-addr 200 :default
00410 allow tcp from any to me dst-port 443 in via vmx0 setup limit src-addr 200 :default
56420 allow tcp from any to me dst-port 9061 in via vmx0 setup limit src-addr 2 :default
56530 allow tcp from any to any dst-port 9060 in via vmx0 setup keep-state :default
56531 allow tcp from any to any dst-port 465 in via vmx0 setup keep-state :default
56532 allow tcp from any to any dst-port 587 in via vmx0 setup keep-state :default
56599 deny log ip from any to any in via vmx0
65535 deny ip from any to any