Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1038201: firewalld: Firewalld not forwarding packets from private LAN servers
419 views
Skip to first unread message
Gerard Monells
Jun 16, 2023, 8:20:05 AM6/16/23
to
Package: firewalld
Version: 1.3.0-1
Severity: important
X-Debbugs-Cc: gerard....@gmail.com
Dear Maintainer,
I created one Debian Bookworm server for usage as gateway for an internal network, using firewalld.
In Debian Bullseye was as easy as install package firewalld (unchanged config) and:
```
sudo firewall-cmd --zone=external --add-interface=enp0s3 --permanent
sudo firewall-cmd --zone=internal --add-interface=enp0s8 --permanent
sudo firewall-cmd --reload
```
Considering enp0s3 as the "public" interface, and enp0s8 as the "private".
I have no more rules for the sake of brevity, at this moment.
Any server on the private network (only one interface, same network as enp0s8 10.0.0.0/24) was able to
do an `apt update` or a `curl http://www.debian.org/`. Packages were forwarded and masqueraded by
firewalld nftables rules, but after doing the same gateway build in Bookworm, logs are filled with
"filter_FWD_internal_REJECT" messages (`sudo firewall-cmd --set-log-denied=all` and `sudo journalctl -x -e`).
I tried to repeat the build using Bullseye and backports (only changes firewalld version
from 0.9.3-2 to 1.3.0-1~bpo11+1), and start failed as described, so this is not a nftables issue,
but a firewalld issue. Same failure with Bookworm using Sid packages (version 1.3.3-1)
Firewalld internal and external zone are identical (`sudo firewall-cmd --zone=internal --list-all`) in
all scenarios, so the issue is not coming from firewalld usage or configuration.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firewalld depends on:
ii dbus 1.14.6-1
ii gir1.2-glib-2.0 1.74.0-3
ii gir1.2-nm-1.0 1.42.4-1
ii polkitd 122-3
ii python3 3.11.2-1+b1
ii python3-dbus 1.3.2-4+b1
ii python3-firewall 1.3.0-1
ii python3-gi 3.42.2-3+b1
ii python3-nftables 1.0.6-2
Versions of packages firewalld recommends:
ii ipset 7.17-1
ii iptables 1.8.9-2
ii python3-cap-ng 0.8.3-1+b3
firewalld suggests no packages.
-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Permiso denegado: '/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Permiso denegado: '/etc/firewalld/lockdown-whitelist.xml'
-- no debconf information
Version: 1.3.0-1
Severity: important
X-Debbugs-Cc: gerard....@gmail.com
Dear Maintainer,
I created one Debian Bookworm server for usage as gateway for an internal network, using firewalld.
In Debian Bullseye was as easy as install package firewalld (unchanged config) and:
```
sudo firewall-cmd --zone=external --add-interface=enp0s3 --permanent
sudo firewall-cmd --zone=internal --add-interface=enp0s8 --permanent
sudo firewall-cmd --reload
```
Considering enp0s3 as the "public" interface, and enp0s8 as the "private".
I have no more rules for the sake of brevity, at this moment.
Any server on the private network (only one interface, same network as enp0s8 10.0.0.0/24) was able to
do an `apt update` or a `curl http://www.debian.org/`. Packages were forwarded and masqueraded by
firewalld nftables rules, but after doing the same gateway build in Bookworm, logs are filled with
"filter_FWD_internal_REJECT" messages (`sudo firewall-cmd --set-log-denied=all` and `sudo journalctl -x -e`).
I tried to repeat the build using Bullseye and backports (only changes firewalld version
from 0.9.3-2 to 1.3.0-1~bpo11+1), and start failed as described, so this is not a nftables issue,
but a firewalld issue. Same failure with Bookworm using Sid packages (version 1.3.3-1)
Firewalld internal and external zone are identical (`sudo firewall-cmd --zone=internal --list-all`) in
all scenarios, so the issue is not coming from firewalld usage or configuration.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firewalld depends on:
ii dbus 1.14.6-1
ii gir1.2-glib-2.0 1.74.0-3
ii gir1.2-nm-1.0 1.42.4-1
ii polkitd 122-3
ii python3 3.11.2-1+b1
ii python3-dbus 1.3.2-4+b1
ii python3-firewall 1.3.0-1
ii python3-gi 3.42.2-3+b1
ii python3-nftables 1.0.6-2
Versions of packages firewalld recommends:
ii ipset 7.17-1
ii iptables 1.8.9-2
ii python3-cap-ng 0.8.3-1+b3
firewalld suggests no packages.
-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Permiso denegado: '/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Permiso denegado: '/etc/firewalld/lockdown-whitelist.xml'
-- no debconf information
Andrew Simpson
Jun 19, 2023, 2:40:06 AM6/19/23
to
Dear Maintainer,
I have struggled with this for a few days. It is not a bug, but an incompatible change in Firewalld since Bullseye.
Default policy is now not to allow forwarding between zones. Policy needs to be set manually. For example:
firewall-cmd --permanent --new-policy allowForward
firewall-cmd --permanent --policy allowForward --set-target ACCEPT
firewall-cmd --permanent --policy allowForward --add-ingress-zone internal
firewall-cmd --permanent --policy allowForward --add-egress-zone external
firewall-cmd --reload
firewall-cmd --permanent --policy allowForward --set-target ACCEPT
firewall-cmd --permanent --policy allowForward --add-ingress-zone internal
firewall-cmd --permanent --policy allowForward --add-egress-zone external
firewall-cmd --reload
and Firewalld Git Bug #866 and #917.
Trust that helps.
Andrew
Gerard Monells
Jun 19, 2023, 4:40:05 AM6/19/23
to
Dear Maintainer,
The policy suggested by Andrew Simpson worked like a charm.
The policy suggested by Andrew Simpson worked like a charm.
Understanding that this is an upstream design decision, and not related to Debian, I think that this bug can be closed.
Thank you all and best wishes
Gerard
0 new messages