[Freedombox-discuss] Firewalld logging.

A. F. Cano afc54 at comcast.net
Mon Aug 14 04:17:21 BST 2023 


In my ongoing attemps to figure out why packets from inside are not going
through unless the firewall is disabled, I notice that:

o /var/log/firewalld only is updated at boot time, and only contains the
  following (date and time were of last reboot):

2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:25:29 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:26:57 WARNING: ZONE_ALREADY_SET: external
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'external'
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'internal'
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http
2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'https' already in 'external'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'https' already in 'internal'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'dns' already in 'internal'
2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: dns
2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: 'dhcp' already in 'internal'
2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: dhcp
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs4
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-orport
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs3
2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs4

Tor and Tor Proxy apps are not installed.  Shouldn't firewalld know this and
not attempt to set up/use an "INVALID_SERVICE"?

o sudo firewall-cmd --set-log-denied=all and
  sudo firewall-cmd --reload

  both return "success" but nothing further shows up in /var/log/firewalld
  when trying (from internal machine)
  ping: returns packet filtered.
  traceroute: stops at FreedomBox, last line is: !X
  fetchmail:  failed: no route to host

  /etc/firewalld/firewalld.conf now reflects "LogDenied=all"
  sudo systemctl restart firewalld returns with no error but also has no
  further effect on /var/log/firewalld.

o rsyslog is not running and masked.  /var/log/messages is a 0 length file.

o The new diagnostic tests all pass, including "Direct passthrough rules
  exist"  /etc/firewall.d/direct.xml contains the rule:

<passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>

  Shouldn't this be the applicable one that should allow packets from
  inside to go out?  Is it possible that the order of the rules in
  /etc/firewall.d/direct.xml is significant?

Where else is (or should be) firewalld putting log messages?

If the firewall is disabled (via cockpit -> Networking) everything works as
expected.

Trying to figure out this problem without logs is an exercise in frustration.
All the firewall-cmd commands I've tried return valid information and no
errors, yet packets don't go through.

FreedomBox 23.14.  I applied the manual fix:

sudo apt install -t bookworm-backports freedombox

for the backports to work.

Any hints?

Thanks.

Augustine

More information about the Freedombox-discuss mailing list