[Freedombox-discuss] Up to date FreedomBox testing: no forwarding.

A. F. Cano afc54 at comcast.net
Mon Sep 4 00:49:44 BST 2023 

FreedomBox testing, 23.16, completely up to date, minimal configuration (the
only thing I changed was the time zone), on an APU2.

Networking -> Firewall (via cockpit) says: "Incoming requests are blocked
by default, Outgoing requests are not blocked."

And in fact this is how it used to be in Debian 11.  In Debian 12 and 13
(current stable and testing) this is not reality.

To keep it simple: Networking -> Firewall -> http (click on ">") says:
"This option is not required for viewing pages locally or developing web
pages".

First ambiguity: does "viewing pages locally" mean connecting to web servers
out there (such as www.debian.org) from the internal zone, or only viewing
pages that are on the internal network or on the FreedomBox?  Presumably it's
the former, but attempting to view https://www.debian.org returns "This site
can't be reached https://www.debian.org is unreachable ERR_ADDRESS_UNREACHABLE"

This only happens with the firewall enabled.  If disabled, connecting to any
site out there works fine.

Networking -> Firewall -> https (click on ">" says:
"This option is not required for viewing pages locally or developing web
pages.  You need the httpd package installed for this option to be useful".

In addition to the same ambiguity as with http, aptitude reports that httpd
is not installed, nor is any other package with httpd in its name.

$ sudo firewall-cmd --list-all --zone=internal
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcp dhcp6-client dns http https mdns samba-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich-rules

$ sudo firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaes: enp1s0
  sources:
  services: http https ssh
  ports:
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Both say: forward: yes, so why are packets not forwarded unless the firewall
is disabled?

>From internal machine:

$ traceroute www.debian.org
traceroute to www.debian.org (128.31.0.62), 30 hops max, 60 byte packets
 1  10.42.0.1 (10.42.0.1)  0.767 ms  0.787 ms  0.792 ms
 2  10.22.0.1 (10.42.0.1)  0.763 ms !X  0.792 ms !X  0.811 ms !X

!X means (per the traceroute man page) "communication administratively
       prohibited"

I even added "custom ports" 80, 443 to the internal zone, but it didn't
make any difference.

As with every other command that sends packets out, when the firewall is
disabled, everything works as it should.

I could really use some hints as to what additional testing might figure out
this problem.  What changed from Debian 11 to Debian 12?

HELP! It is getting really annoying having to disable the firewall before doing
anything that requires access to the outside.  It's like the firewall is in
lockdown mode.  I see the same result when I do:

$ sudo firewall-cmd --lockdown-on
success

But of course even after doing:

$ sudo firewall-cmd --lockdown-off
success

The problem remains.

I will forward any output from any command that might help diagnose this, but
all I can do is keep reading manuals, keep researching and keep testing, which
I will keep doing.  It is strange though that no one (apparently) has
encoutered this issue.

Augustine

More information about the Freedombox-discuss mailing list