[Freedombox-discuss] EMERGENCY! after latest reboot, firewall doesn't let anything through.
A. F. Cano
afc54 at comcast.net
Sun Oct 10 19:53:14 BST 2021
Hi,
After the latest reboot, I found that apparently nothing gets through
the firewall. At first it was confusing since I was able to get on the
web, but I found out that this is only because my internal browsers go
through privoxy on the FreedomBox. Apt/aptitude (from internal
machines) now fails. I could bypass the problem by making it go through
privoxy also, by adding /etc/apt/apt.conf with this in it:
Acquire::http::Proxy "http://<internal name of FreedomBox>:8118";
Most importantly, neither fetchmail nor imap work any more, which means
that I can no longer receive or send email. I could only send this email
by disabling the firewall from cockpit. Until I did so, I got "failed:
Network is unreachable".
Luckily I can still get into the FreedomBox via ssh, but any command
typed there (such as sudo nft list ruleset) results in a very long wait
(about 10-15 seconds) and then this shows up:
pam-abl: BDB1546 unable to join the environment
before the prompt for the password appears.
This is new. I have rebooted the FreedomBox multiple times with no
change.
I have never dealt with nftables internals before and what I've been
able to see seems extremely complicated. I didn't see any explicit
mentions of port 25 (smtp), 143 (imap) or 993 (imaps). When I tried to
add these ports to internal zones the help text told me that it
shouldn't be necessary if I only want to run fetchmail to retrieve
email.
The "About" menu entry says:
You are running Debian GNU/Linux bookworm/sid and FreedomBox version 21.10. FreedomBox is up to date.
And I've done the latest update minutes ago.
What can I do to get the FreedomBox back to normal working state?
Has anything changed recently that could affect shis issue?
Do I need to do something explicit to be able to send and receive email
from the internal machines?
Is this an issue with the forward rules?
chain filter_forward {
type filter hook forward priority filter; policy accept;
ip daddr 192.168.200.0/24 oifname "enp3s0" ct state { established, related } accept
ip saddr 192.168.200.0/24 iifname "enp3s0" accept
iifname "enp3s0" oifname "enp3s0" accept
iifname "enp3s0" reject
oifname "enp3s0" reject
}
I found this snippet, does it look correct?
Thanks.
Augustine
More information about the Freedombox-discuss
mailing list