Hello, On 9/3/23 7:49 PM, A. F. Cano wrote:
FreedomBox testing, 23.16, completely up to date, minimal configuration (the only thing I changed was the time zone), on an APU2. Networking -> Firewall (via cockpit) says: "Incoming requests are blocked by default, Outgoing requests are not blocked." And in fact this is how it used to be in Debian 11. In Debian 12 and 13 (current stable and testing) this is not reality.
Cockpit is developed independently of FreedomBox, and the developers of Cockpit probably don't know that FreedomBox exists. So the messages shown are meant to be very generic, and they apply to the computer where Cockpit is installed (which in this case is the FreedomBox). So "outgoing requests" means a request originating from the FreedomBox, for example, if you install an app and it downloads the package from Debian.
To keep it simple: Networking -> Firewall -> http (click on ">") says: "This option is not required for viewing pages locally or developing web pages". First ambiguity: does "viewing pages locally" mean connecting to web servers out there (such as www.debian.org) from the internal zone, or only viewing pages that are on the internal network or on the FreedomBox? Presumably it's the former, but attempting to view https://www.debian.org returns "This site can't be reached https://www.debian.org is unreachable ERR_ADDRESS_UNREACHABLE"
It means if you open a web browser on the computer that has Cockpit installed (FreedomBox in this case), then connecting to a web server out there such as www.debian.org.
This only happens with the firewall enabled. If disabled, connecting to any site out there works fine. Networking -> Firewall -> https (click on ">" says: "This option is not required for viewing pages locally or developing web pages. You need the httpd package installed for this option to be useful". In addition to the same ambiguity as with http, aptitude reports that httpd is not installed, nor is any other package with httpd in its name.
httpd is another name for Apache web server (apache2). It is called httpd on some other distros.
$ sudo firewall-cmd --list-all --zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: dhcp dhcp6-client dns http https mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich-rules
$ sudo firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaes: enp1s0
sources:
services: http https ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Both say: forward: yes, so why are packets not forwarded unless the firewall
is disabled?
From internal machine:
$ traceroute www.debian.org
traceroute to www.debian.org (128.31.0.62), 30 hops max, 60 byte packets
1 10.42.0.1 (10.42.0.1) 0.767 ms 0.787 ms 0.792 ms
2 10.22.0.1 (10.42.0.1) 0.763 ms !X 0.792 ms !X 0.811 ms !X
!X means (per the traceroute man page) "communication administratively
prohibited"
I even added "custom ports" 80, 443 to the internal zone, but it didn't
make any difference.
As with every other command that sends packets out, when the firewall is
disabled, everything works as it should.
I could really use some hints as to what additional testing might figure out
this problem. What changed from Debian 11 to Debian 12?
HELP! It is getting really annoying having to disable the firewall before doing
anything that requires access to the outside. It's like the firewall is in
lockdown mode. I see the same result when I do:
$ sudo firewall-cmd --lockdown-on
success
But of course even after doing:
$ sudo firewall-cmd --lockdown-off
success
The problem remains.
I will forward any output from any command that might help diagnose this, but
all I can do is keep reading manuals, keep researching and keep testing, which
I will keep doing. It is strange though that no one (apparently) has
encoutered this issue.
Can you share the output of this command? $ sudo firewall-cmd --permanent --list-all-policies
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
