[Freedombox-discuss] Up to date FreedomBox testing: no forwarding.
A. F. Cano
afc54 at comcast.net
Mon Sep 4 13:17:15 BST 2023
On Mon, Sep 04, 2023 at 06:36:44AM -0400, James Valleroy via Freedombox-discuss wrote:
> ...
>
> Can you share the output of this command?
>
> $ sudo firewall-cmd --permanent --list-all-policies
$ sudo firewall-cmd --permanent --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
This command returns the exact same thing on both the testing FreedomBox
described in this thread and the production one (Debian 12/stable).
/etc/firewalld/policies is empty in both. Interesting that there is no
ipv4 rich rules and that file /etc/firewalld/direct.xml does contain
them.
Incidentally, per
https://firewalld.org/documentation/man-pages/firewalld.direct.html
firewalld direct.xml config is deprecated. Could this be the reaon
of the no-forwarding problem?
It says:
"The direct interface has been deprecated. It will be removed in a
future release. It is superseded by policies"
Under the "Caveats" section,
"Depending on the value of FirewallBackend (see firewalld.conf(5)) direct
rules behave differently in some scenarios.
Packet accept/drop precedence
Due to implementation details of netfilter inside the kernel,
if FirewallBackend=nftables is used direct rules that ACCEPT
packets don't actually cause the packets to be immediately accepted
by the system. Those packets are still be subject to firewalld's
nftables ruleset. This basically means there are two independent
firewalls and packets must be accepted by both (iptables and nftables).
As an aside, this scenario also occurs inside of nftables (again due
to netfilter) if there are multiple chains attached to the same hook
- it's not as simple as iptables vs nftables."
So, Replaced nftables with iptables in /etc/firewalld/firewalld.conf
FirewallBackend=iptables
and
sudo systemctl restart firewalld
Now the error message is:
This site can't be reached
www.debian.org refused to connect
Try:
o Checking the connection
o Checking the proxy and the firewall (there is no proxy)
ERR_CONNECTION_REFUSED
Unfortunately, workaround 4 (Revert to the iptables backend) doesn't solve
the problem.
Is /etc/firewalld/direct.xml being ignored? Should the ultimate solution be
to rewrite direct.xml as policies?
This is the content of /etc/firewalld/direct.xml:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
<passthrough ipv="ipv4">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --uid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner root -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A OUTPUT -m owner --gid-owner www-data -j MARK --or-mark 0x800000</passthrough>
<passthrough ipv="ipv6">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough>
<passthrough ipv="ipv6">-A INPUT -m mark --mark 0x800000/0x800000 -j ACCEPT</passthrough>
</direct>
It does have a whole set of ipv4 rules. I don't fully understand all
the details in these rules, so can't re-write them as policies. Any
help will be welcome.
Thanks.
Augustine
More information about the Freedombox-discuss
mailing list