Your message dated Tue, 27 Jun 2023 14:47:34 +0200
with message-id <[email protected]>
and subject line Re: firewalld: Firewalld not forwarding packets from private
LAN servers
has caused the Debian Bug report #1038201,
regarding firewalld: Firewalld not forwarding packets from private LAN servers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1038201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038201
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: firewalld
Version: 1.3.0-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I created one Debian Bookworm server for usage as gateway for an internal
network, using firewalld.
In Debian Bullseye was as easy as install package firewalld (unchanged config)
and:
```
sudo firewall-cmd --zone=external --add-interface=enp0s3 --permanent
sudo firewall-cmd --zone=internal --add-interface=enp0s8 --permanent
sudo firewall-cmd --reload
```
Considering enp0s3 as the "public" interface, and enp0s8 as the "private".
I have no more rules for the sake of brevity, at this moment.
Any server on the private network (only one interface, same network as enp0s8
10.0.0.0/24) was able to
do an `apt update` or a `curl http://www.debian.org/`. Packages were forwarded
and masqueraded by
firewalld nftables rules, but after doing the same gateway build in Bookworm,
logs are filled with
"filter_FWD_internal_REJECT" messages (`sudo firewall-cmd --set-log-denied=all`
and `sudo journalctl -x -e`).
I tried to repeat the build using Bullseye and backports (only changes
firewalld version
from 0.9.3-2 to 1.3.0-1~bpo11+1), and start failed as described, so this is not
a nftables issue,
but a firewalld issue. Same failure with Bookworm using Sid packages (version
1.3.3-1)
Firewalld internal and external zone are identical (`sudo firewall-cmd
--zone=internal --list-all`) in
all scenarios, so the issue is not coming from firewalld usage or configuration.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firewalld depends on:
ii dbus 1.14.6-1
ii gir1.2-glib-2.0 1.74.0-3
ii gir1.2-nm-1.0 1.42.4-1
ii polkitd 122-3
ii python3 3.11.2-1+b1
ii python3-dbus 1.3.2-4+b1
ii python3-firewall 1.3.0-1
ii python3-gi 3.42.2-3+b1
ii python3-nftables 1.0.6-2
Versions of packages firewalld recommends:
ii ipset 7.17-1
ii iptables 1.8.9-2
ii python3-cap-ng 0.8.3-1+b3
firewalld suggests no packages.
-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Permiso denegado:
'/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Permiso denegado:
'/etc/firewalld/lockdown-whitelist.xml'
-- no debconf information
--- End Message ---
--- Begin Message ---
On Mon, 19 Jun 2023 10:33:50 +0200 Gerard Monells
<[email protected]> wrote:
Dear Maintainer,
The policy suggested by Andrew Simpson worked like a charm.
Understanding that this is an upstream design decision, and not related to
Debian, I think that this bug can be closed.
Ok, doing so.
Regards,
Michael
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
