[Freedombox-discuss] Firewalld zones descriptions. Different in fresh install vs upgraded.

A. F. Cano afc54 at comcast.net
Tue Aug 1 01:43:32 BST 2023 

Summary: in the upgraded FreedomBox (the one currently running)
/etc/firewalld/external.xml is missing the line:

  <forward/>

which is present in the fresh install.  Both have the problem I'm trying
to correct: packets generated inside don't go out unless the firewall is
disabled, so this apparently is not the critical difference, but which one
is correct?

Nonetheless, I have added the

  <forward/>

line to the upgraded FreedomBox and tried fetchmail, which used to work
before the dist-upgrade. No difference, even after disabling and re-enabling
the firewall via the web interface or firewall-cmd --reload.

This is what running fetchmail on an internal machine causes:

fetchmail: Connection errors for this poll:
name 0: connection to mx.sdf.org:993 [205.166.94.24/993] failed: No route to host.
IMAP connection to mx.sdf.org failed: No route to host
fetchmail: Query status=2 (SOCKET)
^Cfetchmail: terminated with signal 2

To recapitulate: if the firewall is disabled, it works like it used to.


The differences in <service name=".../> can be ignored, in one case
matrix-synapse is not available (release-critical bug).

In a fresh install, this is what the internal and external zone descriptions
look like:

# cat /etc/firewalld/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Internal</short>
  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="samba-client"/>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="https"/>
  <service name="dns"/>
  <service name="dhcp"/>
  <service name="coturn-freedombox"/>
  <service name="xmpp-client"/>
  <service name="xmpp-server"/>
  <service name="xmpp-bosh"/>
  <service name="infinoted-plinth"/>
  <service name="mumble-plinth"/>
  <service name="privoxy"/>
  <service name="syncthing"/>
  <forward/>
</zone>

# cat external.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
  <service name="coturn-freedombox"/>
  <service name="xmpp-client"/>
  <service name="xmpp-server"/>
  <service name="xmpp-bosh"/>
  <service name="infinoted-plinth"/>
  <service name="mumble-plinth"/>
  <service name="syncthing"/>
  <masquerade/>
  <forward/>      THIS WAS ADDED TO THE UPGRADED FREEDOMBOX - NO DIFFERENCE
</zone>

On the upgraded FreedomBox:

# cat /etc/firewalld/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Internal</short>
  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="samba-client"/>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="https"/>
  <service name="dns"/>
  <service name="dhcp"/>
  <service name="matrix-synapse-plinth"/>
  <service name="privoxy"/>
  <service name="syncthing"/>
  <service name="coturn-freedombox"/>
  <service name="mumble-plinth"/>
  <service name="infinoted-plinth"/>
  <service name="xmpp-client"/>
  <service name="xmpp-server"/>
  <service name="xmpp-bosh"/>
  <forward/>
</zone>

# cat external.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
  <service name="matrix-synapse-plinth"/>
  <service name="syncthing"/>
  <service name="coturn-freedombox"/>
  <service name="mumble-plinth"/>
  <service name="infinoted-plinth"/>
  <service name="xmpp-client"/>
  <service name="xmpp-server"/>
  <service name="xmpp-bosh"/>
  <masquerade/>
</zone>

More information about the Freedombox-discuss mailing list