[Freedombox-discuss] Firewalld not upgraded automatically. old config or new?

A. F. Cano afc54 at comcast.net
Sat Apr 11 19:00:23 BST 2020

In the past I've had major issues, like the FreedomBox becoming totally
inaccessible, after upgrading firewalld, so the last time I did this manually
I told apt to keep the old configuration.

I just noticed that due to dependencies, there has not been an automatic
upgrade in a while.  I did an apt-get upgrade manually and now I need to
choose whether to keep the old configuration or allow the latest changes.
These are the differences:

*** firewalld.conf (Y/I/N/O/D/Z) [default=N] ? d
--- /etc/firewalld/firewalld.conf       2020-01-04 08:43:44.535316032 +0000
+++ /etc/firewalld/firewalld.conf.dpkg-new      2020-04-04 05:50:39.000000000 +>
@@ -3,7 +3,7 @@
 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 # Clean up on exit
 # If set to no or false the firewall configuration will not get cleaned up
@@ -45,7 +45,7 @@
 # Choices are:
 #      - nftables (default)
 #      - iptables (iptables, ip6tables, ebtables and ipset)
 # FlushAllOnReload
 # Flush all runtime rules on a reload. In previous releases some runtime
@@ -61,3 +61,15 @@
 # internet.
 # Defaults to "yes".
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons.
+# Note: If "yes" packets will only drift from source based zones to interface
+# based zones (including the default zone). Packets never drift from interface
+# based zones to other interfaces based zones (including the default zone).
+# Possible values; "yes", "no". Defaults to "no".

I presume other people have encountered this.  What is the proper thing to do
here?  What are the consequences of going either way for the FreedomBox



More information about the Freedombox-discuss mailing list