On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote: > Hello Augustine, > > On 6/12/23 8:53 PM, A. F. Cano wrote: > > The issue that I have no solution for and is quite critical is that no > > packets flow through the firewall. Even though the firewall page claims > > that all requests originating from inside should go through (and did > > before the upgrade), I have to disable the firewall to get and send email. > > Similarly, any HTTP or HTTPS request that doesn't go through privoxy > > (such as aptitude requests to the Debian repositories) fail. I have > > encountered this before and it eventually got fixed. > > There are 2 items that you can check related to the firewall. > > 1) Check that DefaultZone=external in /etc/firewalld/firewalld.conf. > In case it is different, you can run this command to change it: > $ sudo firewall-cmd --set-default-zone=external
It was set to public, now changed to external but it doesn't make any difference. At first I thought that maybe public and external are synonymous as far as functionality, but $ sudo firewall-cmd --permanent --list-all-zones lists public as not active. There are some inconsistencies over time and upgrades: $ sudo grep DefaultZone firewalld/firewalld.conf DefaultZone=external (after I changed it, used to be public) $ sudo grep DefaultZone firewalld/firewalld.conf.old DefaultZone=public $ sudo grep DefaultZone firewalld/firewalld.conf.dpkg-old DefaultZone=external The active zones are: $ sudo firewall-cmd --permanent --list-all-zones ... external (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: coturn-freedombox http https infinoted-plinth matrix-synapse-plinth mumble-plinth ssh syncthing xmpp-bosh xmpp-client xmpp-server ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: ... internal (active) target: default icmp-block-inversion: no interfaces: enp2s0 enp3s0 sources: services: coturn-freedombox dhcp dhcpv6-client dns http https infinoted-plinth matrix-synapse-plinth mdns mumble-plinth privoxy samba-client ssh syncthing xmpp-bosh xmpp-client xmpp-server ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: > 2) It sounds like you may be using 2 interfaces on the FreedomBox, one Actually 3: $ sudo firewall-cmd --get-active-zones external interfaces: enp1s0 internal interfaces: enp2s0 enp3s0 > internal and one external. In that case, you will need to create a policy > that allows forwarding between zones. There are steps listed here: > https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8 I see that there is s series of commands that supposedly do this, but the previous version of the FreedomBox didn't require any of this. in fact, the policies file is empty. $ sudo ls -lth firewalld total 24K -rw------- 1 root root 2.5K Jun 13 14:16 firewalld.conf -rw------- 1 root root 2.5K Jan 6 11:44 firewalld.conf.old -rw-r--r-- 1 root root 1.5K Dec 10 2022 direct.xml -rw-r--r-- 1 root root 1.4K Dec 10 2022 direct.xml.old -rw------- 1 root root 2.7K Nov 16 2021 firewalld.conf.dpkg-old drwxr-xr-x 1 root root 112 Nov 16 2021 zones drwxr-xr-x 1 root root 0 Feb 1 2021 helpers drwxr-xr-x 1 root root 0 Feb 1 2021 icmptypes drwxr-xr-x 1 root root 0 Feb 1 2021 ipsets -rw-r--r-- 1 root root 268 Feb 1 2021 lockdown-whitelist.xml drwxr-xr-x 1 root root 0 Feb 1 2021 policies drwxr-xr-x 1 root root 0 Feb 1 2021 services Did something get messed up during the upgrade? I'm reluctant to fine tune the firewall manually as that might create unintended holes. The firewall page in plinth clearly says: "Incoming requests are blocked by default. Outgoing requests are not blocked." Obviously, the outgoing requests are also being blocked. What would be the cause of that? What command would let me see the specific sule that's causing this? what would be the command that would allow outgoing requests to go through? or is the sequence of commands in the above link the only way? This is what I've copied below. // create new policy firewall-cmd --permanent --new-policy int_to_ext_fwd firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100 firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT // Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set firewall-cmd --permanent --zone=external --add-masquerade // Enable forward on internal (this is a new setting) firewall-cmd --permanent --zone=internal --add-forward // restart firewalld systemctl restart firewalld.service The above applies to redhat, and there is no firewalld.service on the FreedomBox. Presumably the same can be achieved by a ==reload? Obviously I don't understand the fine points of firewall rules. $ sudo firewall-cmd --permanent --list-all-policies allow-host-ipv6 (active) priority: -15000 target: CONTINUE ingress-zones: ANY egress-zones: HOST services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" icmp-type name="neighbour-advertisement" accept rule family="ipv6" icmp-type name="neighbour-solicitation" accept rule family="ipv6" icmp-type name="router-advertisement" accept rule family="ipv6" icmp-type name="redirect" accept so, there is only one policy called allow-host-ipv6. But if I do: $ sudo firewall-cmd --permanent --policy allow-host-ipv6 --add-egress-zone external Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain one of: many regular zones, ANY, or HOST Requesting ANY seems risky, HOST obviously doesn't work (current situation), I would think that external would fall within "many regular zones". I'm lost. Can anyone see what I'm doing wrong or what I'm missing? Obviously this is an issue that affects all ports, so enumerating individual ports should not be necessary. > (Found this via a post on the forum: > https://discuss.freedombox.org/t/debian-12-bookworm-release-and-upgrading/2591/5) Too bad I didn't find this before I interrupted the upgrade after 2 days. But then I didn't know outgoing packets would stop flowing almost immediately, thus leaving me without email for days and soon after the FreedomBox became totally inaccessible. Argh! Thanks for replying. Does anyone have further ideas/suggestions? Thanks. Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
