[Freedombox-discuss] Please help: Freedombox as a router, "not working" anymore (details inside)
daddy at autistici.org
Thu Oct 11 12:45:43 BST 2018
an update, in case it will be helpful to anyone:
1. The problem seems not to be related to docker,
2. I found a workaround, but not a solution.
1. After disabling the docker, removing all network interfaces it
created and rebooting the system, situation remains the same -
packets from Internal zone are rejected instead of routed to
external zone. I wasn't able to find any other scripts messing
with iptables or firewall.
2. Workaround: after moving all my LAN interfaces from Internal
zone to the Trusted zone (inspired by this bugreport ), the
routing functionality is restored. While this works in practice,
it also opens an attack surface on the box itself, for potential
attacks launched from my LAN.
 - "Network via bridge device on host no longer works when
firewalld is active"
Daddy <daddy at autistici.org> wrote:
> thank you for your answer and your time.
> I'll study the links you provided and investigate the influence
> of the docker further.
> This may take me another two weeks :)
> PS: Sorry for bringing up something which now looks like
> unrelated to the actual Freedombox part of my system.
> On 08.10.2018 20:59, Sunil Mohan Adapa wrote:
> > On Monday 08 October 2018 02:32 AM, Daddy wrote:
> > [...]
> >> I was eventually able to get the DHCP working (by manually allowing the
> >> service in firewalld), but not the connection to the internet.
> >> *My network setup:*
> >> <WAN> -- <Modem> -- <Freedombox> -- <LAN>
> >> <LAN> is connected to Fbx through two separate interfaces - wired and
> >> wireless, both set as internal zone in firewall.
> >> LAN connections are both using "Shared" ipv4 setting; no settings were
> >> adjusted.
> >> *Freedombox System:*
> >> Debian GNU/Linux buster/sid and FreedomBox version 0.39.0.
> >> I'm not filling bug report, as this may have been caused by something
> >> I've chosen during the manual system upgrade - I'm just not able to
> >> pinpoint it yet.
> > Hello,
> > Your iptables-save output shows that you are not using firewalld.
> > However, for the commands you have executed you indeed have firewalld
> > running.
> > A possible explanation is that you have setup separate iptable scripts
> > other than firewalld. First firewalld starts then the offending script
> > starts wiping out the firewalld chains. See below for a sample of how
> > the nat table should look like with firewalld. To test this theory,
> > restart firewalld, (observe different output for iptables-save),
> > disconnect/connect shared network connections, check if the problem is
> > resolved. To fix, remove the offending script.
> > Also, you seem to have docker containers running. Docker seems to insert
> > its own chains (but not sure if it wipes iptables). Docker is usually
> > started after firewalld when running under systemd. So, things should
> > be okay unless you restart firewalld. To properly fix this you may want
> > to explore and setup firewalld rich rules and ask docker to not touch
> > iptables.
> > Links:
> > 1)
> > https://success.docker.com/article/why-am-i-having-network-problems-after-firewalld-is-restarted
> > 2) https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
Sent using Mailpile, Free Software from www.mailpile.is
More information about the Freedombox-discuss