On 6/14/23 6:05 PM, A. F. Cano wrote:
On Tue, Jun 13, 2023 at 08:25:04AM -0400, James Valleroy via Freedombox-discuss wrote:internal and one external. In that case, you will need to create a policy that allows forwarding between zones. There are steps listed here: https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8I see that there is s series of commands that supposedly do this, but the previous version of the FreedomBox didn't require any of this. in fact, the policies file is empty.
Yes, it is a change in the newer version of firewalld.
// create new policy firewall-cmd --permanent --new-policy int_to_ext_fwd firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100 firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT // Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set firewall-cmd --permanent --zone=external --add-masquerade // Enable forward on internal (this is a new setting) firewall-cmd --permanent --zone=internal --add-forward // restart firewalld systemctl restart firewalld.service The above applies to redhat, and there is no firewalld.service on the FreedomBox. Presumably the same can be achieved by a ==reload?
There is a firewalld.service located at /usr/lib/systemd/system/firewalld.service.
Obviously I don't understand the fine points of firewall rules.
$ sudo firewall-cmd --permanent --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
so, there is only one policy called allow-host-ipv6.
But if I do:
$ sudo firewall-cmd --permanent --policy allow-host-ipv6 --add-egress-zone
external
Error: INVALID_ZONE: Policy 'allow-host-ipv6': 'egress_zones' may only contain
one of: many regular zones, ANY, or HOST
This is the wrong policy to be changing. You are supposed to create a new policy.
Requesting ANY seems risky, HOST obviously doesn't work (current situation), I would think that external would fall within "many regular zones". I'm lost. Can anyone see what I'm doing wrong or what I'm missing? Obviously this is an issue that affects all ports, so enumerating individual ports should not be necessary.
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
