[Freedombox-discuss] Progress report 4
A. F. Cano
afc54 at comcast.net
Mon Jun 19 22:17:48 BST 2023
Hello again,
I think I figured out why I'm having the problems I have, but not yet
how to solve the issue.
A file that had previously escaped me: /etc/firewalld/direct.xml
apparently has the firewall rules relative to my installation:
$ sudo cat direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
<passthrough ipv="ipv4">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
<passthrough ipv="ipv4">-A INPUT -p tcp --dport 8384 -j REJECT</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
<passthrough ipv="ipv6">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
<passthrough ipv="ipv6">-A INPUT -p tcp --dport 8384 -j REJECT</passthrough>
</direct>
I think this is the rule that should allow connections from the inside
to go through:
<passthrough ipv="ipv6">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
But all the others, with -m owner, apparently fail.
$ sudo nft -n list ruleset
gives many warnings like this:
Warning: Extension owner is not supported, missing kernel module?
The FreedomBos is completely up-to-date. The booted kernel is:
$ cat /proc/version
Linux version 6.1.0-9-amd64 (debian-kernel at lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08)
I have looked around to see what package I'm missing but can find
nothing relevant. The missing module, per a man page I found:
owner
This module attempts to match various characteristics of the
packet creator, for locally generated packets. This match is only
valid in the OUTPUT and POSTROUTING chains. Forwarded packets do
not have any socket associated with them. Packets from kernel
threads do have a socket, but usually no owner.
[!] --uid-owner username
[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has
one) is owned by the given user. You may also specify a
numerical UID, or an UID range.
[!] --gid-owner groupname
[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by
the given group. You may also specify a numerical GID, or
a GID range.
--suppl-groups
Causes group(s) specified with --gid-owner to be also
checked in the supplementary groups of a process.
[!] --socket-exists
Matches if the packet is associated with a socket.
appears to the one needed by most of the rules in the direct.xml file.
Any idea what package I need to install that includes this module?
Or is this not related?
Any hints gratefully welcome. Thanks.
Augustine
More information about the Freedombox-discuss
mailing list