[Freedombox-discuss] EMERGENCY! after latest reboot, firewall doesn't let anything through.

A. F. Cano afc54 at comcast.net
Tue Oct 12 01:35:25 BST 2021


On Mon, Oct 11, 2021 at 10:32:26AM -0700, Sunil Mohan Adapa wrote:
> On 10/11/21 10:23 AM, A. F. Cano wrote:
> ...
> > Well, mostly.  As I've been reporting in another thread, dnsmasq is
> > alternatively not starting at all, starting on one interface or starting
> > on both internal interfaces.  Currently, it doesn't start at all, so I
> > have no dhcp on either internal interface.
> 
> This part can be temporarily worked around. On the machine on the network,
> you can assign them static IP addresses in the same range that dhcp server
> is supposed to assign the addresses. For example:
> 
> FreedomBox internal network IP address: 10.42.0.1 (say)
> Client network configuration:
> Type: Manual/Static
> IP address: 10.42.0.10
> Netmask: 255.255.255.0
> Gateway: 10.42.0.1
> DNS server: 1.1.1.1 (any publicly known DNS)

Well, yes...  I've been running everything with static addresses for
years, but it's a pain to modify /etc/hosts for every machine on the
network when there is a change.  Ideally, if I could have one /etc/hosts
on the FreecomBox, from which dnsmasq could take hints, instead of
assigning randomly from the range specified, it would be ideal.  But
even with the randomly assigned IPs it's a vast improvement over having
to modify every /etc/hosts file.
> 
> [...]
> > > > Luckily I can still get into the FreedomBox via ssh, but any command
> > > > typed there (such as sudo nft list ruleset) results in a very long wait
> > > > (about 10-15 seconds) and then this shows up:
> > > > 
> > > > pam-abl: BDB1546 unable to join the environment
> > > > 
> > > > before the prompt for the password appears.
> > > > 
> > > > This is new.  I have rebooted the FreedomBox multiple times with no
> > > > change.
> 
> This is usually is not serious error but a warning. libpam-abl is only meant
> to block repeated failed login attempts. If it does not work as expected,
> this is not a big problem. libpam-abl can also be removed or it's database
> reset, if necessary.

I agree it's not a big issue, but the 10-15 second delay before every
command is, shall we say, sub-optimal.  I suppose this will get fixed at
some point upstream.

Also, while we're on the subject of firewalls, I notice that I cannot
ssh between different internal machines between the 2 internal
sub-nets/interfaces.  Do ports need to be opened between the 2 internal
interfaces? or is this some manifestation of the same problem?  I
notieed this quite some time ago, long before this latest problem.  I
realize I'm probably the only one using 2 internal interfaces, so maybe
no one has noticed this before.  What would the correct policy be? All the
ports are open between internal interfaces? specific ports need to be
opened explicitly?

In any case, a huge thank you for your work on FreedomBox.  Eagerly
awaiting the introduction of the mail server.

Augustine



More information about the Freedombox-discuss mailing list