[Freedombox-discuss] Since the dist-upgrade of 2 days ago, no packets flow in<->out
A. F. Cano
afc54 at comcast.net
Wed Jun 14 23:05:39 BST 2023
On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote:
> Hello Augustine,
>
> On 6/12/23 8:53 PM, A. F. Cano wrote:
> > The issue that I have no solution for and is quite critical is that no
> > packets flow through the firewall. Even though the firewall page claims
> > that all requests originating from inside should go through (and did
> > before the upgrade), I have to disable the firewall to get and send email.
> > Similarly, any HTTP or HTTPS request that doesn't go through privoxy
> > (such as aptitude requests to the Debian repositories) fail. I have
> > encountered this before and it eventually got fixed.
>
> There are 2 items that you can check related to the firewall.
>
> 1) Check that DefaultZone=external in /etc/firewalld/firewalld.conf.
> In case it is different, you can run this command to change it:
> $ sudo firewall-cmd --set-default-zone=external
It was set to public, now changed to external but it doesn't make any
difference. At first I thought that maybe public and external are
synonymous as far as functionality, but
$ sudo firewall-cmd --permanent --list-all-zones
lists public as not active. There are some inconsistencies over time
and upgrades:
$ sudo grep DefaultZone firewalld/firewalld.conf
DefaultZone=external (after I changed it, used to be public)
$ sudo grep DefaultZone firewalld/firewalld.conf.old
DefaultZone=public
$ sudo grep DefaultZone firewalld/firewalld.conf.dpkg-old
DefaultZone=external
The active zones are:
$ sudo firewall-cmd --permanent --list-all-zones
...
external (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: coturn-freedombox http https infinoted-plinth matrix-synapse-plinth mumble-plinth ssh syncthing xmpp-bosh xmpp-client xmpp-server
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
...
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 enp3s0
sources:
services: coturn-freedombox dhcp dhcpv6-client dns http https infinoted-plinth matrix-synapse-plinth mdns mumble-plinth privoxy samba-client ssh syncthing xmpp-bosh xmpp-client xmpp-server
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
> 2) It sounds like you may be using 2 interfaces on the FreedomBox, one
Actually 3:
$ sudo firewall-cmd --get-active-zones
external
interfaces: enp1s0
internal
interfaces: enp2s0 enp3s0
> internal and one external. In that case, you will need to create a policy
> that allows forwarding between zones. There are steps listed here:
> https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
I see that there is s series of commands that supposedly do this, but
the previous version of the FreedomBox didn't require any of this. in
fact, the policies file is empty.
$ sudo ls -lth firewalld
total 24K
-rw------- 1 root root 2.5K Jun 13 14:16 firewalld.conf
-rw------- 1 root root 2.5K Jan 6 11:44 firewalld.conf.old
-rw-r--r-- 1 root root 1.5K Dec 10 2022 direct.xml
-rw-r--r-- 1 root root 1.4K Dec 10 2022 direct.xml.old
-rw------- 1 root root 2.7K Nov 16 2021 firewalld.conf.dpkg-old
drwxr-xr-x 1 root root 112 Nov 16 2021 zones
drwxr-xr-x 1 root root 0 Feb 1 2021 helpers
drwxr-xr-x 1 root root 0 Feb 1 2021 icmptypes
drwxr-xr-x 1 root root 0 Feb 1 2021 ipsets
-rw-r--r-- 1 root root 268 Feb 1 2021 lockdown-whitelist.xml
drwxr-xr-x 1 root root 0 Feb 1 2021 policies
drwxr-xr-x 1 root root 0 Feb 1 2021 services
Did something get messed up during the upgrade? I'm reluctant to fine
tune the firewall manually as that might create unintended holes.
The firewall page in plinth clearly says:
"Incoming requests are blocked by default. Outgoing requests are not
blocked."
Obviously, the outgoing requests are also being blocked. What would be
the cause of that? What command would let me see the specific sule
that's causing this? what would be the command that would allow outgoing
requests to go through? or is the sequence of commands in the above link
the only way? This is what I've copied below.
// create new policy
firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT
// Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
firewall-cmd --permanent --zone=external --add-masquerade
// Enable forward on internal (this is a new setting)
firewall-cmd --permanent --zone=internal --add-forward
// restart firewalld
systemctl restart firewalld.service
The above applies to redhat, and there is no firewalld.service on the
FreedomBox. Presumably the same can be achieved by a ==reload?
Obviously I don't understand the fine points of firewall rules.
$ sudo firewall-cmd --permanent --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
so, there is only one policy called allow-host-ipv6.
But if I do:
$ sudo firewall-cmd --permanent --policy allow-host-ipv6 --add-egress-zone external
Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain one of: many regular zones, ANY, or HOST
Requesting ANY seems risky, HOST obviously doesn't work (current
situation), I would think that external would fall within "many regular
zones". I'm lost.
Can anyone see what I'm doing wrong or what I'm missing?
Obviously this is an issue that affects all ports, so
enumerating individual ports should not be necessary.
> (Found this via a post on the forum: https://discuss.freedombox.org/t/debian-12-bookworm-release-and-upgrading/2591/5)
Too bad I didn't find this before I interrupted the upgrade after 2
days. But then I didn't know outgoing packets would stop flowing almost
immediately, thus leaving me without email for days and soon after the
FreedomBox became totally inaccessible. Argh!
Thanks for replying. Does anyone have further ideas/suggestions?
Thanks.
Augustine
More information about the Freedombox-discuss
mailing list