[Freedombox-discuss] Please help: Freedombox as a router, "not working" anymore (details inside)

Thu Oct 11 12:45:43 BST 2018

Hello,

an update, in case it will be helpful to anyone:
1. The problem seems not to be related to docker,
2. I found a workaround, but not a solution.

Details:
1. After disabling the docker, removing all network interfaces it
created and rebooting the system, situation remains the same -
packets from Internal zone are rejected instead of routed to
external zone. I wasn't able to find any other scripts messing
with iptables or firewall.

2. Workaround: after moving all my LAN interfaces from Internal
zone to the Trusted zone (inspired by this bugreport [1]), the
routing functionality is restored. While this works in practice,
it also opens an attack surface on the box itself, for potential
attacks launched from my LAN.

D.

[1] - "Network via bridge device on host no longer works when
firewalld is active"
(https://bugzilla.redhat.com/show_bug.cgi?id=1569744#c8)

Daddy <daddy at autistici.org> wrote:
> Sunil,
> 
> thank you for your answer and your time.
> I'll study the links you provided and investigate the influence
> of the docker further.
> 
> This may take me another two weeks :)
> 
> D.
> 
> PS: Sorry for bringing up something which now looks like
> unrelated to the actual Freedombox part of my system.
> 
> On 08.10.2018 20:59, Sunil Mohan Adapa wrote:
> > On Monday 08 October 2018 02:32 AM, Daddy wrote:
> > [...]
> >> I was eventually able to get the DHCP working (by manually allowing the
> >> service in firewalld), but not the connection to the internet.
> >>
> >> *My network setup:*
> >> <WAN> -- <Modem> -- <Freedombox> -- <LAN>
> >>
> >> <LAN> is connected to Fbx through two separate interfaces - wired and
> >> wireless, both set as internal zone in firewall.
> >> LAN connections are both using "Shared" ipv4 setting; no settings were
> >> adjusted.
> >>
> >> *Freedombox System:*
> >> Debian GNU/Linux buster/sid and FreedomBox version 0.39.0.
> >>
> >> I'm not filling bug report, as this may have been caused by something
> >> I've chosen during the manual system upgrade - I'm just not able to
> >> pinpoint it yet.
> >>
> > Hello,
> >
> > Your iptables-save output shows that you are not using firewalld.
> > However, for the commands you have executed you indeed have firewalld
> > running.
> >
> > A possible explanation is that you have setup separate iptable scripts
> > other than firewalld. First firewalld starts then the offending script
> > starts wiping out the firewalld chains. See below for a sample of how
> > the nat table should look like with firewalld. To test this theory,
> > restart firewalld, (observe different output for iptables-save),
> > disconnect/connect shared network connections, check if the problem is
> > resolved. To fix, remove the offending script.
> >
> > Also, you seem to have docker containers running. Docker seems to insert
> > its own chains (but not sure if it wipes iptables). Docker is usually
> > started after firewalld when running under systemd[1]. So, things should
> > be okay unless you restart firewalld. To properly fix this you may want
> > to explore and setup firewalld rich rules[2] and ask docker to not touch
> > iptables.
> >
> > Links:
> >
> > 1)
> > https://success.docker.com/article/why-am-i-having-network-problems-after-firewalld-is-restarted
> > 2) https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
> >
>

-- 
Sent using Mailpile, Free Software from www.mailpile.is