FreedomBox testing, 23.16, completely up to date, minimal configuration (the only thing I changed was the time zone), on an APU2.
Networking -> Firewall (via cockpit) says: "Incoming requests are blocked by default, Outgoing requests are not blocked." And in fact this is how it used to be in Debian 11. In Debian 12 and 13 (current stable and testing) this is not reality. To keep it simple: Networking -> Firewall -> http (click on ">") says: "This option is not required for viewing pages locally or developing web pages". First ambiguity: does "viewing pages locally" mean connecting to web servers out there (such as www.debian.org) from the internal zone, or only viewing pages that are on the internal network or on the FreedomBox? Presumably it's the former, but attempting to view https://www.debian.org returns "This site can't be reached https://www.debian.org is unreachable ERR_ADDRESS_UNREACHABLE" This only happens with the firewall enabled. If disabled, connecting to any site out there works fine. Networking -> Firewall -> https (click on ">" says: "This option is not required for viewing pages locally or developing web pages. You need the httpd package installed for this option to be useful". In addition to the same ambiguity as with http, aptitude reports that httpd is not installed, nor is any other package with httpd in its name. $ sudo firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: enp3s0 sources: services: dhcp dhcp6-client dns http https mdns samba-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich-rules $ sudo firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaes: enp1s0 sources: services: http https ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: Both say: forward: yes, so why are packets not forwarded unless the firewall is disabled? >From internal machine: $ traceroute www.debian.org traceroute to www.debian.org (128.31.0.62), 30 hops max, 60 byte packets 1 10.42.0.1 (10.42.0.1) 0.767 ms 0.787 ms 0.792 ms 2 10.22.0.1 (10.42.0.1) 0.763 ms !X 0.792 ms !X 0.811 ms !X !X means (per the traceroute man page) "communication administratively prohibited" I even added "custom ports" 80, 443 to the internal zone, but it didn't make any difference. As with every other command that sends packets out, when the firewall is disabled, everything works as it should. I could really use some hints as to what additional testing might figure out this problem. What changed from Debian 11 to Debian 12? HELP! It is getting really annoying having to disable the firewall before doing anything that requires access to the outside. It's like the firewall is in lockdown mode. I see the same result when I do: $ sudo firewall-cmd --lockdown-on success But of course even after doing: $ sudo firewall-cmd --lockdown-off success The problem remains. I will forward any output from any command that might help diagnose this, but all I can do is keep reading manuals, keep researching and keep testing, which I will keep doing. It is strange though that no one (apparently) has encoutered this issue. Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
