[Freedombox-discuss] EMERGENCY! after latest reboot, firewall doesn't let anything through.
Sunil Mohan Adapa
sunil at medhas.org
Sun Oct 10 20:04:45 BST 2021
Hi Augustine,
Sorry to hear about your troubles. Could you drop by on IRC or Matrix
and we can try to do some debugging of the problem together.
If I understand correctly, traffic is not getting forwarded to Internet
from machines on the local network. Other functions of FreedomBox are
working properly.
We've had one other report of troubles with "shared" network connections
not forwarding IPv4 traffic properly[1]. It may be that we are facing
regressions in network-manager that may have already been fixed in an
unreleased version.
Links:
1) https://salsa.debian.org/freedombox-team/freedombox/-/issues/2114
--
Sunil
On 10/10/21 11:53 AM, A. F. Cano wrote:
> Hi,
>
> After the latest reboot, I found that apparently nothing gets through
> the firewall. At first it was confusing since I was able to get on the
> web, but I found out that this is only because my internal browsers go
> through privoxy on the FreedomBox. Apt/aptitude (from internal
> machines) now fails. I could bypass the problem by making it go through
> privoxy also, by adding /etc/apt/apt.conf with this in it:
>
> Acquire::http::Proxy "http://<internal name of FreedomBox>:8118";
>
> Most importantly, neither fetchmail nor imap work any more, which means
> that I can no longer receive or send email. I could only send this email
> by disabling the firewall from cockpit. Until I did so, I got "failed:
> Network is unreachable".
>
> Luckily I can still get into the FreedomBox via ssh, but any command
> typed there (such as sudo nft list ruleset) results in a very long wait
> (about 10-15 seconds) and then this shows up:
>
> pam-abl: BDB1546 unable to join the environment
>
> before the prompt for the password appears.
>
> This is new. I have rebooted the FreedomBox multiple times with no
> change.
>
> I have never dealt with nftables internals before and what I've been
> able to see seems extremely complicated. I didn't see any explicit
> mentions of port 25 (smtp), 143 (imap) or 993 (imaps). When I tried to
> add these ports to internal zones the help text told me that it
> shouldn't be necessary if I only want to run fetchmail to retrieve
> email.
>
> The "About" menu entry says:
>
> You are running Debian GNU/Linux bookworm/sid and FreedomBox version 21.10. FreedomBox is up to date.
>
> And I've done the latest update minutes ago.
>
> What can I do to get the FreedomBox back to normal working state?
> Has anything changed recently that could affect shis issue?
> Do I need to do something explicit to be able to send and receive email
> from the internal machines?
>
> Is this an issue with the forward rules?
>
> chain filter_forward {
> type filter hook forward priority filter; policy accept;
> ip daddr 192.168.200.0/24 oifname "enp3s0" ct state { established, related } accept
> ip saddr 192.168.200.0/24 iifname "enp3s0" accept
> iifname "enp3s0" oifname "enp3s0" accept
> iifname "enp3s0" reject
> oifname "enp3s0" reject
> }
>
> I found this snippet, does it look correct?
>
> Thanks.
>
> Augustine
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
>
More information about the Freedombox-discuss
mailing list