In my ongoing attemps to figure out why packets from inside are not going through unless the firewall is disabled, I notice that: o /var/log/firewalld only is updated at boot time, and only contains the following (date and time were of last reboot): 2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-orport 2023-08-12 13:25:28 ERROR: INVALID_SERVICE: tor-obfs3 2023-08-12 13:25:29 ERROR: INVALID_SERVICE: tor-obfs4 2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-orport 2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs3 2023-08-12 13:26:10 ERROR: INVALID_SERVICE: tor-obfs4 2023-08-12 13:26:57 WARNING: ZONE_ALREADY_SET: external 2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'external' 2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http 2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'http' already in 'internal' 2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: http 2023-08-12 13:27:37 WARNING: ALREADY_ENABLED: 'https' already in 'external' 2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https 2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'https' already in 'internal' 2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: https 2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: 'dns' already in 'internal' 2023-08-12 13:27:38 WARNING: ALREADY_ENABLED: dns 2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: 'dhcp' already in 'internal' 2023-08-12 13:27:39 WARNING: ALREADY_ENABLED: dhcp 2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-orport 2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs3 2023-08-12 13:27:40 ERROR: INVALID_SERVICE: tor-obfs4 2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-orport 2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs3 2023-08-12 13:28:51 ERROR: INVALID_SERVICE: tor-obfs4 Tor and Tor Proxy apps are not installed. Shouldn't firewalld know this and not attempt to set up/use an "INVALID_SERVICE"? o sudo firewall-cmd --set-log-denied=all and sudo firewall-cmd --reload both return "success" but nothing further shows up in /var/log/firewalld when trying (from internal machine) ping: returns packet filtered. traceroute: stops at FreedomBox, last line is: !X fetchmail: failed: no route to host /etc/firewalld/firewalld.conf now reflects "LogDenied=all" sudo systemctl restart firewalld returns with no error but also has no further effect on /var/log/firewalld. o rsyslog is not running and masked. /var/log/messages is a 0 length file. o The new diagnostic tests all pass, including "Direct passthrough rules exist" /etc/firewall.d/direct.xml contains the rule: <passthrough ipv="ipv4">-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT</passthrough> Shouldn't this be the applicable one that should allow packets from inside to go out? Is it possible that the order of the rules in /etc/firewall.d/direct.xml is significant? Where else is (or should be) firewalld putting log messages? If the firewall is disabled (via cockpit -> Networking) everything works as expected. Trying to figure out this problem without logs is an exercise in frustration. All the firewall-cmd commands I've tried return valid information and no errors, yet packets don't go through. FreedomBox 23.14. I applied the manual fix: sudo apt install -t bookworm-backports freedombox for the backports to work. Any hints? Thanks. Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
