Package: firewalld Version: 1.3.0-1 Severity: important X-Debbugs-Cc: gerard.mone...@gmail.com
Dear Maintainer, I created one Debian Bookworm server for usage as gateway for an internal network, using firewalld. In Debian Bullseye was as easy as install package firewalld (unchanged config) and: ``` sudo firewall-cmd --zone=external --add-interface=enp0s3 --permanent sudo firewall-cmd --zone=internal --add-interface=enp0s8 --permanent sudo firewall-cmd --reload ``` Considering enp0s3 as the "public" interface, and enp0s8 as the "private". I have no more rules for the sake of brevity, at this moment. Any server on the private network (only one interface, same network as enp0s8 10.0.0.0/24) was able to do an `apt update` or a `curl http://www.debian.org/`. Packages were forwarded and masqueraded by firewalld nftables rules, but after doing the same gateway build in Bookworm, logs are filled with "filter_FWD_internal_REJECT" messages (`sudo firewall-cmd --set-log-denied=all` and `sudo journalctl -x -e`). I tried to repeat the build using Bullseye and backports (only changes firewalld version from 0.9.3-2 to 1.3.0-1~bpo11+1), and start failed as described, so this is not a nftables issue, but a firewalld issue. Same failure with Bookworm using Sid packages (version 1.3.3-1) Firewalld internal and external zone are identical (`sudo firewall-cmd --zone=internal --list-all`) in all scenarios, so the issue is not coming from firewalld usage or configuration. -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firewalld depends on: ii dbus 1.14.6-1 ii gir1.2-glib-2.0 1.74.0-3 ii gir1.2-nm-1.0 1.42.4-1 ii polkitd 122-3 ii python3 3.11.2-1+b1 ii python3-dbus 1.3.2-4+b1 ii python3-firewall 1.3.0-1 ii python3-gi 3.42.2-3+b1 ii python3-nftables 1.0.6-2 Versions of packages firewalld recommends: ii ipset 7.17-1 ii iptables 1.8.9-2 ii python3-cap-ng 0.8.3-1+b3 firewalld suggests no packages. -- Configuration Files: /etc/firewalld/firewalld.conf [Errno 13] Permiso denegado: '/etc/firewalld/firewalld.conf' /etc/firewalld/lockdown-whitelist.xml [Errno 13] Permiso denegado: '/etc/firewalld/lockdown-whitelist.xml' -- no debconf information
