Summary: in the upgraded FreedomBox (the one currently running) /etc/firewalld/external.xml is missing the line:
<forward/> which is present in the fresh install. Both have the problem I'm trying to correct: packets generated inside don't go out unless the firewall is disabled, so this apparently is not the critical difference, but which one is correct? Nonetheless, I have added the <forward/> line to the upgraded FreedomBox and tried fetchmail, which used to work before the dist-upgrade. No difference, even after disabling and re-enabling the firewall via the web interface or firewall-cmd --reload. This is what running fetchmail on an internal machine causes: fetchmail: Connection errors for this poll: name 0: connection to mx.sdf.org:993 [205.166.94.24/993] failed: No route to host. IMAP connection to mx.sdf.org failed: No route to host fetchmail: Query status=2 (SOCKET) ^Cfetchmail: terminated with signal 2 To recapitulate: if the firewall is disabled, it works like it used to. The differences in <service name=".../> can be ignored, in one case matrix-synapse is not available (release-critical bug). In a fresh install, this is what the internal and external zone descriptions look like: # cat /etc/firewalld/internal.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Internal</short> <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="mdns"/> <service name="samba-client"/> <service name="dhcpv6-client"/> <service name="http"/> <service name="https"/> <service name="dns"/> <service name="dhcp"/> <service name="coturn-freedombox"/> <service name="xmpp-client"/> <service name="xmpp-server"/> <service name="xmpp-bosh"/> <service name="infinoted-plinth"/> <service name="mumble-plinth"/> <service name="privoxy"/> <service name="syncthing"/> <forward/> </zone> # cat external.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="http"/> <service name="https"/> <service name="coturn-freedombox"/> <service name="xmpp-client"/> <service name="xmpp-server"/> <service name="xmpp-bosh"/> <service name="infinoted-plinth"/> <service name="mumble-plinth"/> <service name="syncthing"/> <masquerade/> <forward/> THIS WAS ADDED TO THE UPGRADED FREEDOMBOX - NO DIFFERENCE </zone> On the upgraded FreedomBox: # cat /etc/firewalld/internal.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Internal</short> <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="mdns"/> <service name="samba-client"/> <service name="dhcpv6-client"/> <service name="http"/> <service name="https"/> <service name="dns"/> <service name="dhcp"/> <service name="matrix-synapse-plinth"/> <service name="privoxy"/> <service name="syncthing"/> <service name="coturn-freedombox"/> <service name="mumble-plinth"/> <service name="infinoted-plinth"/> <service name="xmpp-client"/> <service name="xmpp-server"/> <service name="xmpp-bosh"/> <forward/> </zone> # cat external.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="http"/> <service name="https"/> <service name="matrix-synapse-plinth"/> <service name="syncthing"/> <service name="coturn-freedombox"/> <service name="mumble-plinth"/> <service name="infinoted-plinth"/> <service name="xmpp-client"/> <service name="xmpp-server"/> <service name="xmpp-bosh"/> <masquerade/> </zone> _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
