[Freedombox-discuss] Firewalld not upgraded automatically. old config or new?
Daddy
daddy at autistici.org
Sat Apr 11 19:24:40 BST 2020
Hey Augustine!
I share your pain! I've got bitten by firewalld updates in a past too,
quite a bit.
Now, I'm just an user of the Freedombox, so all I can share is my
intuition, but:
As far as I know, Freedombox uses custom firewalld configuration, which
is different from the one from the Debian. Most obvious aspect of it is
the name of the default zone: instead of 'public', FBX uses 'external'.
In more functional way, it has it's own preffered selection from
{nftables, iptables} set of tools. So I would say: don't use the package
maintainer's config (firewalld.conf.dpkg-new, +) and keep the old one.
D.
On 11. 4. 2020 20:00, A. F. Cano wrote:
>
> In the past I've had major issues, like the FreedomBox becoming totally
> inaccessible, after upgrading firewalld, so the last time I did this manually
> I told apt to keep the old configuration.
>
> I just noticed that due to dependencies, there has not been an automatic
> upgrade in a while. I did an apt-get upgrade manually and now I need to
> choose whether to keep the old configuration or allow the latest changes.
> These are the differences:
>
> *** firewalld.conf (Y/I/N/O/D/Z) [default=N] ? d
> --- /etc/firewalld/firewalld.conf 2020-01-04 08:43:44.535316032 +0000
> +++ /etc/firewalld/firewalld.conf.dpkg-new 2020-04-04 05:50:39.000000000 +>
> @@ -3,7 +3,7 @@
> # default zone
> # The default zone used if an empty zone string is used.
> # Default: public
> -DefaultZone=external
> +DefaultZone=public
>
> # Clean up on exit
> # If set to no or false the firewall configuration will not get cleaned up
> @@ -45,7 +45,7 @@
> # Choices are:
> # - nftables (default)
> # - iptables (iptables, ip6tables, ebtables and ipset)
> -FirewallBackend=nftables
> +FirewallBackend=iptables
>
> # FlushAllOnReload
> # Flush all runtime rules on a reload. In previous releases some runtime
> @@ -61,3 +61,15 @@
> # internet.
> # Defaults to "yes".
> RFC3964_IPv4=yes
> +
> +# AllowZoneDrifting
> +# Older versions of firewalld had undocumented behavior known as "zone
> +# drifting". This allowed packets to ingress multiple zones - this is a
> +# violation of zone based firewalls. However, some users rely on this behavior
> +# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
> +# desire such behavior. It's disabled by default for security reasons.
> +# Note: If "yes" packets will only drift from source based zones to interface
> +# based zones (including the default zone). Packets never drift from interface
> +# based zones to other interfaces based zones (including the default zone).
> +# Possible values; "yes", "no". Defaults to "no".
> +AllowZoneDrifting=no
>
> I presume other people have encountered this. What is the proper thing to do
> here? What are the consequences of going either way for the FreedomBox
> specifically?
>
> Thanks.
>
> Augustine
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
More information about the Freedombox-discuss
mailing list