[Freedombox-discuss] Firewalld not upgraded automatically. old config or new?

Sun Apr 12 08:28:45 BST 2020

On Sat, Apr 11, 2020 at 08:24:40PM +0200, Daddy wrote:
> On 11. 4. 2020 20:00, A. F. Cano wrote:
> >
> > In the past I've had major issues, like the FreedomBox becoming totally
> > inaccessible, after upgrading firewalld, so the last time I did this manually
> > I told apt to keep the old configuration.
> >
> > I just noticed that due to dependencies, there has not been an automatic
> > upgrade in a while.  I did an apt-get upgrade manually and now I need to
> > choose whether to keep the old configuration or allow the latest changes.
> > These are the differences:
> >
> > *** firewalld.conf (Y/I/N/O/D/Z) [default=N] ? d
> > --- /etc/firewalld/firewalld.conf       2020-01-04 08:43:44.535316032 +0000
> > +++ /etc/firewalld/firewalld.conf.dpkg-new      2020-04-04 05:50:39.000000000 +>
> > @@ -3,7 +3,7 @@
> >  # default zone
> >  # The default zone used if an empty zone string is used.
> >  # Default: public
> > -DefaultZone=external
> > +DefaultZone=public
> >  
> >  # Clean up on exit
> >  # If set to no or false the firewall configuration will not get cleaned up
> > @@ -45,7 +45,7 @@
> >  # Choices are:
> >  #      - nftables (default)
> >  #      - iptables (iptables, ip6tables, ebtables and ipset)
> > -FirewallBackend=nftables
> > +FirewallBackend=iptables
> >  
> >  # FlushAllOnReload
> >  # Flush all runtime rules on a reload. In previous releases some runtime
> > @@ -61,3 +61,15 @@
> >  # internet.
> >  # Defaults to "yes".
> >  RFC3964_IPv4=yes
> > +
> > +# AllowZoneDrifting
> > +# Older versions of firewalld had undocumented behavior known as "zone
> > +# drifting". This allowed packets to ingress multiple zones - this is a
> > +# violation of zone based firewalls. However, some users rely on this behavior
> > +# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
> > +# desire such behavior. It's disabled by default for security reasons.
> > +# Note: If "yes" packets will only drift from source based zones to interface
> > +# based zones (including the default zone). Packets never drift from interface
> > +# based zones to other interfaces based zones (including the default zone).
> > +# Possible values; "yes", "no". Defaults to "no".
> > +AllowZoneDrifting=no
> >
>
> As far as I know, Freedombox uses custom firewalld configuration, which
> is different from the one from the Debian. Most obvious aspect of it is
> the name of the default zone: instead of 'public', FBX uses 'external'.
> In more functional way, it has it's own preffered selection from
> {nftables, iptables} set of tools. So I would say: don't use the package
> maintainer's config (firewalld.conf.dpkg-new, +) and keep the old one.

Yes.  The result should be that  /etc/firewalld/firewalld.conf 
has 'FirewallBackend=nftables'

> > I presume other people have encountered this.  What is the proper thing to do
> > here?  What are the consequences of going either way for the FreedomBox
> > specifically?

I'm not sure if those questions have been answered.
Please tell.  (either way)

Regards
Geert Stappers
-- 
Silence is hard to parse