[CentOS] FirewallD issue

Thu Apr 21 20:33:15 UTC 2016
Marcin Trendota <moonwolf.rh at gmail.com>

On Thursday 21 of April 2016 9:08:09 AM Gordon Messmer wrote:
> On 04/21/2016 03:11 AM, Marcin Trendota wrote:
> > But from host in another location (connected through VPN):
> What host serves the VPN?  If it's another host, how is that host
> connected to the router?  If it's "chamber," what type of VPN is it?

It's OpenVPN on chamber.

I've just noticed that it's similiar from home to the other location.
To clear things: it's my home network is one of VLANs in work ("the other location").

>From chamber:

[root at chamber ~]# nmap
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST                                                                                                                                                                                                                                                              
Nmap scan report for                                                                                                                                                                                                                                                                                               
Host is up (0.053s latency).                                                                                                                                                                                                                                                                                                 
Not shown: 988 closed ports                                                                                                                                                                                                                                                                                                  
PORT     STATE SERVICE                                                                                                                                                                                                                                                                                                       
21/tcp   open  ftp                                                                                                                                                                                                                                                                                                           
25/tcp   open  smtp                                                                                                                                                                                                                                                                                                          
80/tcp   open  http                                                                                                                                                                                                                                                                                                          
110/tcp  open  pop3                                                                                                                                                                                                                                                                                                          
111/tcp  open  rpcbind                                                                                                                                                                                                                                                                                                       
143/tcp  open  imap                                                                                                                                                                                                                                                                                                          
389/tcp  open  ldap                                                                                                                                                                                                                                                                                                          
443/tcp  open  https                                                                                                                                                                                                                                                                                                         
993/tcp  open  imaps                                                                                                                                                                                                                                                                                                         
995/tcp  open  pop3s                                                                                                                                                                                                                                                                                                         
2049/tcp open  nfs                                                                                                                                                                                                                                                                                                           
5666/tcp open  nrpe                                                                                                                                                                                                                                                                                                          
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds

>From other host in home network:

[moonwolf at kazad ~]$ nmap

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 22:12 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, 
try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds

When i move enp1s0 (external interface) to "home" zone, everything works 

My observations:

* When enp1s0 and tun0 (VPN interface) are both in "external" zone i'm 
able to scan ports of work's network from home.
But not the opposite:
[root at palpatine ~]# nmap

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-21 22:26 CEST
Nmap scan report for
Host is up (0.039s latency).
All 1000 scanned ports on are filtered

Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds

* When enp1s0 is in "external" zone (as only interface), and tun0 is in 
"home" zone i can't scan ports in home nor work.

* When all interfaces are in "home" zone i can scan ports everywhere.

It's a bit chaotic, i know. Sorry about that.

Over And Out