I updated from Fedora 34 to 36 on my gateway machine.

Computers on the LAN could no longer access the POP3 server.
Somehow some service settings got lost.

What else got lost in the transition?

NAT/forwarding no longer works.  This didn't matter because there is a
second gateway with a much faster internet connection.  Except it
mattered today because Rogers Communications internet and phone
service went out, across their service area in Canada.  When I tried
to use the gateway with F36, it would not work.

Just as a simple example, from the LAN
        ping external-site
generated a "Packet filtered" response returned by the gateway.
On the other hand this worked fine:
        ping gw-LAN-address
and so did
        ping gw-public-address

This looks like a problem with forwarding.

googling got me this:
<https://www.it-hure.de/2021/12/firewalld-fedora-34-35-masquerade-between-zones-not-working-anymore/>

It proposed this:

        firewall-cmd --permanent --new-policy policy_int_to_ext
        firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone 
public
        firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone 
external
        firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100
        firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT
        firewall-cmd --permanent --zone=external --add-masquerade
        systemctl restart firewalld
        firewall-cmd --info-policy policy_int_to_ext
I tried this (replacing "public" with the right zone for my setup).

This isn't quite working.  tcpdumping the gateways external port, I
can see the ICMP Echo Request makes it out and an ICMP Echo Reply
comes back, but it never make it into the LAN.

Ditto for ssh.

Can anyone see what I've missed?

Where can I see "policy" stuff in the firewall GUI?  I haven't found
it.

Another oddity.  After I did the proposed firewall changes listed
above, I dumped the netfilter rules "nft -l" and compared them with
the previous dump.  There seemed to be a certain amount of
refactoring: there were separate functions for  virbr0.  Why?

I no longer have confidence in the migrated firewall config.
Is there a way to start over, as if this were a fresh installation of
Fedora 36.

I think the "policy" feature is just what I need for other problems, so it 
is great to see this addition.  It seems too sparsely documented for me to 
completely understand it.  Boy is "policly" an overused term in 
networking.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to