Preventing access to the webinterface through the VPN
Unless you want to prevent that the VPN tunnel partners have access to the web interface, the following iptables rules in /etc/sysconfig/firewall.local can be adjusted.
For example with a /24 subnet Mask (255.255.255.0):
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
# Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
/sbin/iptables -A CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
;;
stop)
## add your 'stop' rules here
# Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
/sbin/iptables -D CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
After a:
/etc/sysconfig/firewall.local reload
the rules should then also be active.
Block ICMP for OpenVPN
In case ICMP should be blocked by the firewall, some things needs to be regarded. ICMP types 0, 3, 8 and 11 should be opened, otherwise connection problems can appear.