[Freedombox-discuss] Since the dist-upgrade of 2 days ago, no packets flow in<->out
James Valleroy
jvalleroy at mailbox.org
Tue Jun 20 03:19:29 BST 2023
On 6/14/23 6:05 PM, A. F. Cano wrote:
> On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote:
>> internal and one external. In that case, you will need to create a policy
>> that allows forwarding between zones. There are steps listed here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
>
> I see that there is s series of commands that supposedly do this, but
> the previous version of the FreedomBox didn't require any of this. in
> fact, the policies file is empty.
Yes, it is a change in the newer version of firewalld.
>
> // create new policy
> firewall-cmd --permanent --new-policy int_to_ext_fwd
> firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
> firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
> firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
> firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT
>
> // Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
> firewall-cmd --permanent --zone=external --add-masquerade
>
> // Enable forward on internal (this is a new setting)
> firewall-cmd --permanent --zone=internal --add-forward
>
> // restart firewalld
> systemctl restart firewalld.service
>
> The above applies to redhat, and there is no firewalld.service on the
> FreedomBox. Presumably the same can be achieved by a ==reload?
There is a firewalld.service located at /usr/lib/systemd/system/firewalld.service.
> Obviously I don't understand the fine points of firewall rules.
>
> $ sudo firewall-cmd --permanent --list-all-policies
> allow-host-ipv6 (active)
> priority: -15000
> target: CONTINUE
> ingress-zones: ANY
> egress-zones: HOST
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv6" icmp-type name="neighbour-advertisement" accept
> rule family="ipv6" icmp-type name="neighbour-solicitation" accept
> rule family="ipv6" icmp-type name="router-advertisement" accept
> rule family="ipv6" icmp-type name="redirect" accept
>
> so, there is only one policy called allow-host-ipv6.
> But if I do:
>
> $ sudo firewall-cmd --permanent --policy allow-host-ipv6 --add-egress-zone external
> Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain one of: many regular zones, ANY, or HOST
This is the wrong policy to be changing. You are supposed to create a new policy.
> Requesting ANY seems risky, HOST obviously doesn't work (current
> situation), I would think that external would fall within "many regular
> zones". I'm lost.
>
> Can anyone see what I'm doing wrong or what I'm missing?
> Obviously this is an issue that affects all ports, so
> enumerating individual ports should not be necessary.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20230619/ec41a6fc/attachment-0001.sig>
More information about the Freedombox-discuss
mailing list