[Freedombox-discuss] Firewalld logging.
A. F. Cano
afc54 at comcast.net
Mon Aug 14 04:17:21 BST 2023
In my ongoing attemps to figure out why packets from inside are not going
through unless the firewall is disabled, I notice that:
o /var/log/firewalld only is updated at boot time, and only contains the
following (date and time were of last reboot):
2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:25:29 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:26:57 WARNING: ZONE_ALREADY_SET: external
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'external'
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'internal'
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'https' already in 'external'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'https' already in 'internal'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'dns' already in 'internal'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: dns
2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: 'dhcp' already in 'internal'
2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: dhcp
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs4
Tor and Tor Proxy apps are not installed. Shouldn't firewalld know this and
not attempt to set up/use an "INVALID_SERVICE"?
o sudo firewall-cmd --set-log-denied=all and
sudo firewall-cmd --reload
both return "success" but nothing further shows up in /var/log/firewalld
when trying (from internal machine)
ping: returns packet filtered.
traceroute: stops at FreedomBox, last line is: !X
fetchmail: failed: no route to host
/etc/firewalld/firewalld.conf now reflects "LogDenied=all"
sudo systemctl restart firewalld returns with no error but also has no
further effect on /var/log/firewalld.
o rsyslog is not running and masked. /var/log/messages is a 0 length file.
o The new diagnostic tests all pass, including "Direct passthrough rules
exist" /etc/firewall.d/direct.xml contains the rule:
<passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
Shouldn't this be the applicable one that should allow packets from
inside to go out? Is it possible that the order of the rules in
/etc/firewall.d/direct.xml is significant?
Where else is (or should be) firewalld putting log messages?
If the firewall is disabled (via cockpit -> Networking) everything works as
expected.
Trying to figure out this problem without logs is an exercise in frustration.
All the firewall-cmd commands I've tried return valid information and no
errors, yet packets don't go through.
FreedomBox 23.14. I applied the manual fix:
sudo apt install -t bookworm-backports freedombox
for the backports to work.
Any hints?
Thanks.
Augustine
More information about the Freedombox-discuss
mailing list