[Freedombox-discuss] Up to date FreedomBox testing: no forwarding.

James Valleroy jvalleroy at mailbox.org
Mon Sep 4 11:36:44 BST 2023 

Hello,

On 9/3/23 7:49 PM, A. F. Cano wrote:
> 
> FreedomBox testing, 23.16, completely up to date, minimal configuration (the
> only thing I changed was the time zone), on an APU2.
> 
> Networking -> Firewall (via cockpit) says: "Incoming requests are blocked
> by default, Outgoing requests are not blocked."
> 
> And in fact this is how it used to be in Debian 11.  In Debian 12 and 13
> (current stable and testing) this is not reality.

Cockpit is developed independently of FreedomBox, and the developers of Cockpit probably don't know that FreedomBox exists. So the messages shown are meant to be very generic, and they apply to the computer where Cockpit is installed (which in this case is the FreedomBox). So "outgoing requests" means a request originating from the FreedomBox, for example, if you install an app and it downloads the package from Debian.

> To keep it simple: Networking -> Firewall -> http (click on ">") says:
> "This option is not required for viewing pages locally or developing web
> pages".
> 
> First ambiguity: does "viewing pages locally" mean connecting to web servers
> out there (such as www.debian.org) from the internal zone, or only viewing
> pages that are on the internal network or on the FreedomBox?  Presumably it's
> the former, but attempting to view https://www.debian.org returns "This site
> can't be reached https://www.debian.org is unreachable ERR_ADDRESS_UNREACHABLE"

It means if you open a web browser on the computer that has Cockpit installed (FreedomBox in this case), then connecting to a web server out there such as www.debian.org.

> This only happens with the firewall enabled.  If disabled, connecting to any
> site out there works fine.
> 
> Networking -> Firewall -> https (click on ">" says:
> "This option is not required for viewing pages locally or developing web
> pages.  You need the httpd package installed for this option to be useful".
> 
> In addition to the same ambiguity as with http, aptitude reports that httpd
> is not installed, nor is any other package with httpd in its name.

httpd is another name for Apache web server (apache2). It is called httpd on some other distros.

> $ sudo firewall-cmd --list-all --zone=internal
> internal (active)
>    target: default
>    icmp-block-inversion: no
>    interfaces: enp3s0
>    sources:
>    services: dhcp dhcp6-client dns http https mdns samba-client ssh
>    ports:
>    protocols:
>    forward: yes
>    masquerade: no
>    forward-ports:
>    source-ports:
>    icmp-blocks:
>    rich-rules
> 
> $ sudo firewall-cmd --list-all --zone=external
> external (active)
>    target: default
>    icmp-block-inversion: no
>    interfaes: enp1s0
>    sources:
>    services: http https ssh
>    ports:
>    protocols:
>    forward: yes
>    masquerade: yes
>    forward-ports:
>    source-ports:
>    icmp-blocks:
>    rich rules:
> 
> Both say: forward: yes, so why are packets not forwarded unless the firewall
> is disabled?
> 
>  From internal machine:
> 
> $ traceroute www.debian.org
> traceroute to www.debian.org (128.31.0.62), 30 hops max, 60 byte packets
>   1  10.42.0.1 (10.42.0.1)  0.767 ms  0.787 ms  0.792 ms
>   2  10.22.0.1 (10.42.0.1)  0.763 ms !X  0.792 ms !X  0.811 ms !X
> 
> !X means (per the traceroute man page) "communication administratively
>         prohibited"
> 
> I even added "custom ports" 80, 443 to the internal zone, but it didn't
> make any difference.
> 
> As with every other command that sends packets out, when the firewall is
> disabled, everything works as it should.
> 
> I could really use some hints as to what additional testing might figure out
> this problem.  What changed from Debian 11 to Debian 12?
> 
> HELP! It is getting really annoying having to disable the firewall before doing
> anything that requires access to the outside.  It's like the firewall is in
> lockdown mode.  I see the same result when I do:
> 
> $ sudo firewall-cmd --lockdown-on
> success
> 
> But of course even after doing:
> 
> $ sudo firewall-cmd --lockdown-off
> success
> 
> The problem remains.
> 
> I will forward any output from any command that might help diagnose this, but
> all I can do is keep reading manuals, keep researching and keep testing, which
> I will keep doing.  It is strange though that no one (apparently) has
> encoutered this issue.

Can you share the output of this command?

$ sudo firewall-cmd --permanent --list-all-policies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20230904/f307325b/attachment.sig>

More information about the Freedombox-discuss mailing list