On Sunday 14 December 2014 13:43:03 James Knott wrote:
On 12/14/2014 01:39 PM, Stanislav Baiduzhyi wrote:
The general practice is to configure the firewall to allow only what you
want, in this case OpenVPN. So just allow the UDP port it uses. When the tunnel shuts down, there should be nothing listening to that port.
Well, the problem is, the service I'm using works faster with TCP and uses port 443. Otherwise that idea would work perfectly.
Well, the same applies. You allow only the ports you want to come in. Also, as asked by someone else, is this a client or server? If client, it's not an issue.
Yes, but TCP on port 443 is HTTPS, which means that browser traffic will be allowed through this firewall rule, right? With DD-WRT I was using some firewall rule that blocked all traffic from br0 to WAN, then allowed traffic from tun0 to WAN and from br0 to run0. That allowed the router itself to see NTP and DNS, but all the clients had to go through openvpn or have no connection at all. And I cannot figure out if it's possible to create similar rules for normal client machine, where I have only one eth0 device and it can be reached directly... Is it possible to force tun0 as default network device, then allow only tun0 to contact eth0 and drop all other connections? -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org