[Freedombox-discuss] Since the dist-upgrade of 2 days ago, no packets flow in<->out

A. F. Cano afc54 at comcast.net
Wed Jun 14 23:05:39 BST 2023 

On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote:
> Hello Augustine,
> 
> On 6/12/23 8:53 PM, A. F. Cano wrote:
> > The issue that I have no solution for and is quite critical is that no
> > packets flow through the firewall.  Even though the firewall page claims
> > that all requests originating from inside should go through (and did
> > before the upgrade), I have to disable the firewall to get and send email.
> > Similarly, any HTTP or HTTPS request that doesn't go through privoxy
> > (such as aptitude requests to the Debian repositories) fail.  I have
> > encountered this before and it eventually got fixed.
> 
> There are 2 items that you can check related to the firewall.
> 
> 1) Check that DefaultZone=external in /etc/firewalld/firewalld.conf.
> In case it is different, you can run this command to change it:
> $ sudo firewall-cmd --set-default-zone=external

It was set to public, now changed to external but it doesn't make any
difference.  At first I thought that maybe public and external are
synonymous as far as functionality, but 

$ sudo firewall-cmd --permanent --list-all-zones

lists public as not active.  There are some inconsistencies over time
and upgrades:

$ sudo grep DefaultZone  firewalld/firewalld.conf
DefaultZone=external	(after I changed it, used to be public)
$ sudo grep DefaultZone  firewalld/firewalld.conf.old
DefaultZone=public
$ sudo grep DefaultZone  firewalld/firewalld.conf.dpkg-old
DefaultZone=external

The active zones are:

$ sudo firewall-cmd --permanent --list-all-zones

...

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: coturn-freedombox http https infinoted-plinth matrix-synapse-plinth mumble-plinth ssh syncthing xmpp-bosh xmpp-client xmpp-server
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

...

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0 enp3s0
  sources: 
  services: coturn-freedombox dhcp dhcpv6-client dns http https infinoted-plinth matrix-synapse-plinth mdns mumble-plinth privoxy samba-client ssh syncthing xmpp-bosh xmpp-client xmpp-server
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:


> 2) It sounds like you may be using 2 interfaces on the FreedomBox, one

Actually 3:

$ sudo firewall-cmd --get-active-zones
external
  interfaces: enp1s0
internal
  interfaces: enp2s0 enp3s0


> internal and one external. In that case, you will need to create a policy
> that allows forwarding between zones. There are steps listed here:
> https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8

I see that there is s series of commands that supposedly do this, but
the previous version of the FreedomBox didn't require any of this.  in
fact, the policies file is empty.

$ sudo ls -lth firewalld
total 24K
-rw------- 1 root root 2.5K Jun 13 14:16 firewalld.conf
-rw------- 1 root root 2.5K Jan  6 11:44 firewalld.conf.old
-rw-r--r-- 1 root root 1.5K Dec 10  2022 direct.xml
-rw-r--r-- 1 root root 1.4K Dec 10  2022 direct.xml.old
-rw------- 1 root root 2.7K Nov 16  2021 firewalld.conf.dpkg-old
drwxr-xr-x 1 root root  112 Nov 16  2021 zones
drwxr-xr-x 1 root root    0 Feb  1  2021 helpers
drwxr-xr-x 1 root root    0 Feb  1  2021 icmptypes
drwxr-xr-x 1 root root    0 Feb  1  2021 ipsets
-rw-r--r-- 1 root root  268 Feb  1  2021 lockdown-whitelist.xml
drwxr-xr-x 1 root root    0 Feb  1  2021 policies
drwxr-xr-x 1 root root    0 Feb  1  2021 services

Did something get messed up during the upgrade? I'm reluctant to fine
tune the firewall manually as that might create unintended holes.

The firewall page in plinth clearly says:

"Incoming requests are blocked by default. Outgoing requests are not
blocked."

Obviously, the outgoing requests are also being blocked.  What would be
the cause of that? What command would let me see the specific sule
that's causing this? what would be the command that would allow outgoing
requests to go through? or is the sequence of commands in the above link
the only way? This is what I've copied below.


// create new policy
firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT

// Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
firewall-cmd --permanent --zone=external --add-masquerade

// Enable forward on internal (this is a new setting)
firewall-cmd --permanent --zone=internal --add-forward

// restart firewalld
systemctl restart firewalld.service

The above applies to redhat, and there is no firewalld.service on the
FreedomBox.  Presumably the same can be achieved by a ==reload?

Obviously I don't understand the fine points of firewall rules.

$ sudo firewall-cmd --permanent --list-all-policies
allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv6" icmp-type name="neighbour-advertisement" accept
        rule family="ipv6" icmp-type name="neighbour-solicitation" accept
        rule family="ipv6" icmp-type name="router-advertisement" accept
        rule family="ipv6" icmp-type name="redirect" accept

so, there is only one policy called allow-host-ipv6.
But if I do:

$ sudo firewall-cmd --permanent  --policy allow-host-ipv6 --add-egress-zone external
Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain one of: many regular zones, ANY, or HOST

Requesting ANY seems risky, HOST obviously doesn't work (current
situation), I would think that external would fall within "many regular
zones".  I'm lost.

Can anyone see what I'm doing wrong or what I'm missing?
Obviously this is an issue that affects all ports, so
enumerating individual ports should not be necessary.

> (Found this via a post on the forum: https://discuss.freedombox.org/t/debian-12-bookworm-release-and-upgrading/2591/5)

Too bad I didn't find this before I interrupted the upgrade after 2
days.  But then I didn't know outgoing packets would stop flowing almost
immediately, thus leaving me without email for days and soon after the
FreedomBox became totally inaccessible.  Argh!

Thanks for replying.  Does anyone have further ideas/suggestions?
Thanks.

Augustine

More information about the Freedombox-discuss mailing list