[Freedombox-discuss] New FreedomBox install, a few show stopper problems.

A. F. Cano afc54 at comcast.net
Sun Jul 23 22:59:38 BST 2023 

Hello all,

In my ongoing attempts to figure out why the firewall does not allow any
packets from inside to go out, I have created a brand new FreedomBox
image on a new SD card:

Dled the latest FreedomBox bookworm/debian 12 for the apu1d4:

xz -d freedombox-bookworm_all-amd64.img.xz
sudo dd bs=1M if=freedombox-bookworm_all-amd64.img of=/dev/sdf conv=fdatasync status=progress

It finished with no errors.

Mounted this new card and copied the definitions of the interfaces:

cd /mnt/etc/NetworkManager/system-connections
sudo cp /home/afc/<location of saved files>/FreedomBox\ WAN .
sudo cp /home/afc/<location of saved files>/FreedomBox\ LAN\ enp2s0 .
sudo cp /home/afc/<location of saved files>/FreedomBox\ LAN\ enp3s0 .

The idea here is that with these definitions pre-loaded I would have
access to the new SD card as easily as the old one.  Not so fast.

Plugged it into the Freedombox (an apu1d4) and ...

First problem: All my internal browsers use privoxy on the FreedomBos,
so I got that error since Privoxy is not installed (yet) on the new
FreedomBox.

My freedombox is not called "freedombox" so had to change the name in
the https:.... line.  After that I could connect after telling the
browser to ignore the self-signed certificate error.

Started the setup phase: administrative user, how the FreedomBox is
connected to the internet: FreedomBox is your router, type of internet
connection: may change over time, frequent updates activated.

Then did a software update.

After that, installed the old apps I had installed:

Coturn, ejabberd, ikiwiki, infinoted, matrix-synapse, mumble, privoxy,
radicale, roundcube, searx, shaarli, sharing, syncthing, zoph.

And here is where I encountered the first insurmountable problem.  It
claimed that matrix-synapse "is not available in your distribution:.
This is obviously incorrect as my upgraded FreedomBox image (the one
with the firewall problem) has matrix-synapse installed and working
fine.

Also, the firewall issue remains.  Just as in the old image, inside
packets don't go out through the firewall.  I have to disable it in
order to run fetchmail from the inside.  This used to work fine before
the dist-upgrade to bookworm.  Other internal apps that apparently need
to send packets out also don't work, such as syncthing  and element.

There is this rule in direct.xml:

<passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>

So why is this happening?  Has no one else encountered this issue?

I have contacted the developers of syncthing and they are aware of the
problem and intend to fix it at some point.  This problem is that even
though both the syncthing client and server are on the inside network
and therefore should not need access to sites outside, access to who
knows what outside is necessary for it to sync.

Fetchmail and element also require the firewall to be disabled.
Fetchmail has a good reason to send packets out: to contact the comcast
mail server, but element should not need to send packets out since
matrix-synapse is on the FreedomBox.

In any case, I manually installed all the apps since I was prompted to
do so.  It would be nice is they would be installed automatically by the
restore process, but that also didn't work.

I have a remote backup set up on an internal machine, so I tried to add
a "Remote Backup Location" so I could restore all the user data to this
new FreedomBox image.

But I got this error:

Command '['borg', 'info', '--json', '/media/7a8c91aa-2999-11ee-812e-000db93f92a8']' returned non-zero exit status 2.×
Repository removed.

Second fatal error.  Not only can I not install matrix-synapse, I can't
restore any of my user data.  And the original problem that prompted all
this: inside packets that don't go out because the firewall is blocking
them, is still here, on a brand new image.

It looks like this is not something that got messed up on my old image,
but some fundamental bug present in the distribution.  In the last
couple of days python3-nftables and other firewall packages have been
updated, but it didn't make any difference.

Any ideas?  I intended to compare firewall rules between the old image
and the new one, but the new one has the same problem.

Any suggestions?

Thanks for reading this far...

Augustine

More information about the Freedombox-discuss mailing list