[Freedombox-discuss] Firewalld not upgraded automatically. old config or new?
A. F. Cano
afc54 at comcast.net
Sat Apr 11 19:00:23 BST 2020
In the past I've had major issues, like the FreedomBox becoming totally
inaccessible, after upgrading firewalld, so the last time I did this manually
I told apt to keep the old configuration.
I just noticed that due to dependencies, there has not been an automatic
upgrade in a while. I did an apt-get upgrade manually and now I need to
choose whether to keep the old configuration or allow the latest changes.
These are the differences:
*** firewalld.conf (Y/I/N/O/D/Z) [default=N] ? d
--- /etc/firewalld/firewalld.conf 2020-01-04 08:43:44.535316032 +0000
+++ /etc/firewalld/firewalld.conf.dpkg-new 2020-04-04 05:50:39.000000000 +>
@@ -3,7 +3,7 @@
# default zone
# The default zone used if an empty zone string is used.
# Default: public
-DefaultZone=external
+DefaultZone=public
# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
@@ -45,7 +45,7 @@
# Choices are:
# - nftables (default)
# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
+FirewallBackend=iptables
# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
@@ -61,3 +61,15 @@
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes
+
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons.
+# Note: If "yes" packets will only drift from source based zones to interface
+# based zones (including the default zone). Packets never drift from interface
+# based zones to other interfaces based zones (including the default zone).
+# Possible values; "yes", "no". Defaults to "no".
+AllowZoneDrifting=no
I presume other people have encountered this. What is the proper thing to do
here? What are the consequences of going either way for the FreedomBox
specifically?
Thanks.
Augustine
More information about the Freedombox-discuss
mailing list