[Freedombox-discuss] Up to date FreedomBox testing: no forwarding.

A. F. Cano afc54 at comcast.net
Mon Sep 4 13:17:15 BST 2023 

On Mon, Sep 04, 2023 at 06:36:44AM -0400, James Valleroy via Freedombox-discuss wrote:
> ...
> 
> Can you share the output of this command?
> 
> $ sudo firewall-cmd --permanent --list-all-policies

$ sudo firewall-cmd --permanent --list-all-policies
allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv6" icmp-type name="neighbour-advertisement" accept
        rule family="ipv6" icmp-type name="neighbour-solicitation" accept
        rule family="ipv6" icmp-type name="router-advertisement" accept
        rule family="ipv6" icmp-type name="redirect" accept

This command returns the exact same thing on both the testing FreedomBox
described in this thread and the production one (Debian 12/stable).

/etc/firewalld/policies is empty in both.  Interesting that there is no
ipv4 rich rules and that file /etc/firewalld/direct.xml does contain
them.

Incidentally, per

https://firewalld.org/documentation/man-pages/firewalld.direct.html

firewalld direct.xml config is deprecated.  Could this be the reaon
of the no-forwarding problem?

It says:

"The direct interface has been deprecated. It will be removed in a
future release. It is superseded by policies"

Under the "Caveats" section, 

"Depending on the value of FirewallBackend (see firewalld.conf(5)) direct
rules behave differently in some scenarios. 

Packet accept/drop precedence

 Due to implementation details of netfilter inside the kernel,
 if FirewallBackend=nftables is used direct rules that ACCEPT
 packets don't actually cause the packets to be immediately accepted
 by the system. Those packets are still be subject to firewalld's
 nftables ruleset. This basically means there are two independent
 firewalls and packets must be accepted by both (iptables and nftables).
 As an aside, this scenario also occurs inside of nftables (again due
 to netfilter) if there are multiple chains attached to the same hook
 - it's not as simple as iptables vs nftables."

So, Replaced nftables with iptables in /etc/firewalld/firewalld.conf

  FirewallBackend=iptables

and

sudo systemctl restart firewalld

Now the error message is:

This site can't be reached
www.debian.org refused to connect
Try:
 o Checking the connection
 o Checking the proxy and the firewall	 (there is no proxy)
ERR_CONNECTION_REFUSED

Unfortunately, workaround 4 (Revert to the iptables backend) doesn't solve
the problem.

Is /etc/firewalld/direct.xml being ignored?  Should the ultimate solution be
to rewrite direct.xml as policies?

This is the content of /etc/firewalld/direct.xml:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
  <passthrough ipv="ipv4">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
  <passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
  <passthrough ipv="ipv6">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
  <passthrough ipv="ipv6">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
</direct>

It does have a whole set of ipv4 rules.  I don't fully understand all
the details in these rules, so can't re-write them as policies.  Any
help will be welcome.

Thanks.

Augustine

More information about the Freedombox-discuss mailing list