[Freedombox-discuss] Since the dist-upgrade of 2 days ago, no packets flow in<->out

James Valleroy jvalleroy at mailbox.org
Tue Jun 20 03:19:29 BST 2023

On 6/14/23 6:05 PM, A. F. Cano wrote:
> On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote:
>> internal and one external. In that case, you will need to create a policy
>> that allows forwarding between zones. There are steps listed here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
> I see that there is s series of commands that supposedly do this, but
> the previous version of the FreedomBox didn't require any of this.  in
> fact, the policies file is empty.

Yes, it is a change in the newer version of firewalld.

> // create new policy
> firewall-cmd --permanent --new-policy int_to_ext_fwd
> firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
> firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
> firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
> firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT
> // Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
> firewall-cmd --permanent --zone=external --add-masquerade
> // Enable forward on internal (this is a new setting)
> firewall-cmd --permanent --zone=internal --add-forward
> // restart firewalld
> systemctl restart firewalld.service
> The above applies to redhat, and there is no firewalld.service on the
> FreedomBox.  Presumably the same can be achieved by a ==reload?

There is a firewalld.service located at /usr/lib/systemd/system/firewalld.service.

> Obviously I don't understand the fine points of firewall rules.
> $ sudo firewall-cmd --permanent --list-all-policies
> allow-host-ipv6 (active)
>    priority: -15000
>    target: CONTINUE
>    ingress-zones: ANY
>    egress-zones: HOST
>    services:
>    ports:
>    protocols:
>    masquerade: no
>    forward-ports:
>    source-ports:
>    icmp-blocks:
>    rich rules:
>          rule family="ipv6" icmp-type name="neighbour-advertisement" accept
>          rule family="ipv6" icmp-type name="neighbour-solicitation" accept
>          rule family="ipv6" icmp-type name="router-advertisement" accept
>          rule family="ipv6" icmp-type name="redirect" accept
> so, there is only one policy called allow-host-ipv6.
> But if I do:
> $ sudo firewall-cmd --permanent  --policy allow-host-ipv6 --add-egress-zone external
> Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain one of: many regular zones, ANY, or HOST

This is the wrong policy to be changing. You are supposed to create a new policy.

> Requesting ANY seems risky, HOST obviously doesn't work (current
> situation), I would think that external would fall within "many regular
> zones".  I'm lost.
> Can anyone see what I'm doing wrong or what I'm missing?
> Obviously this is an issue that affects all ports, so
> enumerating individual ports should not be necessary.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20230619/ec41a6fc/attachment-0001.sig>

More information about the Freedombox-discuss mailing list