----- Original Message -----
> ----- Original Message -----
> > On Fri, 2014-08-01 at 08:47 -0400, Miloslav Trmač wrote:
> >
> > > > 2. What zone should the server put the clients they connect. Should
> > > > there be some special vpn zone or should I use one of the existing
> > > > ones?
> > > > (none of the existing looks very reasonable for that).
> > > How are the clients connected exactly? If the traffic looks like it
> > > arrives on a virtual interface, a zone should be assigned to that
> > > interface, using the existing system-wide configuration for that
> > > interface
> > > (/etc/sysconfig/network-scripts/ifcfg*) if at all possible (this might
> > > require extra code I don’t know much about).
> >
> > Correct the traffic arrives on a virtual interface. So as according to
> > the wiki the client should at some point execute "firewall-cmd
> > --zone=myzone --add-interface=tun-client-iface".
>
> I’m not sure about that. The general case is that NetworkManager (or
> init.d/network) manage interfaces, including that virtual interface, and
> therefore _NetworkManager_ interprets the ZONE= setting from the interface
> configuration
… and the client doesn’t execute anything. (The system administrator would set ZONE= in the ifcfg-* file.)
If NetworkManager isn’t touching the virtual interface at all, your VPN server may have to configure the zone for that interface; but it should be as similar to the generic NetworkManager usage as is reasonable. (I’m not sure that having ifcfg-* files not used by NetworkManager at all and used to set ZONE= would be reasonable; at that point having a zone option in the VPN server configuration may make sense.)
And this should be probably similar to how other VPN mechanisms do this—which I’m afraid I don’t know anything about.
Mirek
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
