firewall: internal shared networks not forwarding IPv4
Running Debian GNU/Linux bookworm/sid and FreedomBox version 21.8. FreedomBox
that is up to date.
- I sometime do some
dist-upgrade, that I should not do so.
Trouble with internal networks
- A local device gets a IPv4 address automatically but with internet access not available (filtered) .
NetworkManager journal
journalctl -S "2021-09-15 16:18:49" -U "2021-09-15 16:19:54" -u NetworkManager
-- Journal begins at Sun 2021-08-22 06:38:35 CEST, ends at Fri 2021-09-17 11:08:50 CEST. --
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.1844] device (wlx6cfdb9b29bcb): Activation: starting connection 'Wi-Fi-1' (25b709af-7b6c-41b2-8216-7a7628af3899)
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.1863] audit: op="connection-activate" uuid="25b709af-7b6c-41b2-8216-7a7628af3899" name="Wi-Fi-1" pid=474 uid=110 result="success"
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.1941] device (wlx6cfdb9b29bcb): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.3045] device (wlx6cfdb9b29bcb): set-hw-addr: reset MAC address to 6C:FD:B9:B2:9B:CB (preserve)
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.5796] device (wlx6cfdb9b29bcb): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6037] device (wlx6cfdb9b29bcb): Activation: (wifi) access point 'Wi-Fi-1' has security, but secrets are required.
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6041] device (wlx6cfdb9b29bcb): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6515] device (wlx6cfdb9b29bcb): supplicant interface state: disconnected -> interface_disabled
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6521] device (p2p-dev-wlx6cfdb9b29bcb): supplicant management interface state: disconnected -> interface_disabled
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6531] device (wlx6cfdb9b29bcb): supplicant interface state: interface_disabled -> disconnected
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.6537] device (p2p-dev-wlx6cfdb9b29bcb): supplicant management interface state: interface_disabled -> disconnected
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.8325] device (wlx6cfdb9b29bcb): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.8893] device (wlx6cfdb9b29bcb): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.8965] device (wlx6cfdb9b29bcb): Activation: (wifi) connection 'Wi-Fi-1' has security, and secrets exist. No new secrets needed.
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.9008] Config: added 'ssid' value 'fbx-sous-sol'
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.9014] Config: added 'mode' value '2'
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.9016] Config: added 'frequency' value '2412'
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.9020] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK'
sept. 15 16:18:49 fbx-m1m NetworkManager[427]: <info> [1631715529.9023] Config: added 'psk' value '<hidden>'
sept. 15 16:18:50 fbx-m1m NetworkManager[427]: <info> [1631715530.5595] device (wlx6cfdb9b29bcb): supplicant interface state: disconnected -> completed
sept. 15 16:18:50 fbx-m1m NetworkManager[427]: <info> [1631715530.5612] device (wlx6cfdb9b29bcb): Activation: (wifi) Stage 2 of 5 (Device Configure) successful. Started Wi-Fi Hotspot "fbx-sous-sol"
sept. 15 16:18:50 fbx-m1m NetworkManager[427]: <info> [1631715530.5627] device (p2p-dev-wlx6cfdb9b29bcb): supplicant management interface state: disconnected -> completed
sept. 15 16:18:50 fbx-m1m NetworkManager[427]: <info> [1631715530.9101] device (wlx6cfdb9b29bcb): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.4697] Executing: /usr/sbin/iptables --table filter --insert INPUT --in-interface wlx6cfdb9b29bcb --protocol tcp --destination-port 53 --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.5419] Executing: /usr/sbin/iptables --table filter --insert INPUT --in-interface wlx6cfdb9b29bcb --protocol udp --destination-port 53 --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.5778] Executing: /usr/sbin/iptables --table filter --insert INPUT --in-interface wlx6cfdb9b29bcb --protocol tcp --destination-port 67 --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.6137] Executing: /usr/sbin/iptables --table filter --insert INPUT --in-interface wlx6cfdb9b29bcb --protocol udp --destination-port 67 --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.6480] Executing: /usr/sbin/iptables --table filter --insert FORWARD --in-interface wlx6cfdb9b29bcb --jump REJECT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.6775] Executing: /usr/sbin/iptables --table filter --insert FORWARD --out-interface wlx6cfdb9b29bcb --jump REJECT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.7014] Executing: /usr/sbin/iptables --table filter --insert FORWARD --in-interface wlx6cfdb9b29bcb --out-interface wlx6cfdb9b29bcb --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.7267] Executing: /usr/sbin/iptables --table filter --insert FORWARD --source 10.42.1.0/255.255.255.0 --in-interface wlx6cfdb9b29bcb --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.7542] Executing: /usr/sbin/iptables --table filter --insert FORWARD --destination 10.42.1.0/255.255.255.0 --out-interface wlx6cfdb9b29bcb --match state --state ESTABLISHED,RELATED --jump ACCEPT
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.8493] Executing: /usr/sbin/iptables --table nat --insert POSTROUTING --source 10.42.1.0/255.255.255.0 ! --destination 10.42.1.0/255.255.255.0 --jump MASQUERADE
sept. 15 16:18:51 fbx-m1m NetworkManager[427]: <info> [1631715531.8878] dnsmasq-manager: starting dnsmasq...
sept. 15 16:18:52 fbx-m1m NetworkManager[427]: <info> [1631715532.0609] device (wlx6cfdb9b29bcb): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: demarré, version 2.85 (taille de cache 150)
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: options à la compilation : IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: chown of PID file /run/nm-dnsmasq-wlx6cfdb9b29bcb.pid failed: Opération non permise
sept. 15 16:18:52 fbx-m1m dnsmasq-dhcp[5277]: DHCP, plage d'adresses IP 10.42.1.10 -- 10.42.1.254, durée de bail 1h
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: Lecture de /etc/resolv.conf
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: utilise le serveur de nom 192.168.0.254#53
sept. 15 16:18:52 fbx-m1m dnsmasq[5277]: cache vidé
sept. 15 16:18:52 fbx-m1m NetworkManager[427]: <info> [1631715532.4026] device (wlx6cfdb9b29bcb): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:52 fbx-m1m NetworkManager[427]: <info> [1631715532.4079] device (wlx6cfdb9b29bcb): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')
sept. 15 16:18:52 fbx-m1m NetworkManager[427]: <info> [1631715532.4567] device (wlx6cfdb9b29bcb): Activation: successful, device activated.
sept. 15 16:19:53 fbx-m1m dnsmasq-dhcp[5277]: DHCPDISCOVER(wlx6cfdb9b29bcb) 3c:bb:fd:60:6e:3f
sept. 15 16:19:53 fbx-m1m dnsmasq-dhcp[5277]: DHCPOFFER(wlx6cfdb9b29bcb) 10.42.1.73 3c:bb:fd:60:6e:3f
sept. 15 16:19:53 fbx-m1m dnsmasq-dhcp[5277]: DHCPREQUEST(wlx6cfdb9b29bcb) 10.42.1.73 3c:bb:fd:60:6e:3f
sept. 15 16:19:53 fbx-m1m dnsmasq-dhcp[5277]: DHCPACK(wlx6cfdb9b29bcb) 10.42.1.73 3c:bb:fd:60:6e:3fNetworkManager Wi-Fi-1 connection
nmcli co sh Wi-Fi-1
connection.id: Wi-Fi-1
connection.uuid: e86d3356-c643-426b-9adb-0d78af2c9e3e
connection.stable-id: --
connection.type: 802-11-wireless
connection.interface-name: wlx6cfdb9b29bcb
connection.autoconnect: oui
connection.autoconnect-priority: 0
connection.autoconnect-retries: -1 (default)
connection.multi-connect: 0 (default)
connection.auth-retries: -1
connection.timestamp: 1631869127
connection.read-only: non
connection.permissions: --
connection.zone: internal
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries: --
connection.gateway-ping-timeout: 0
connection.metered: inconnu
connection.lldp: default
connection.mdns: -1 (default)
connection.llmnr: -1 (default)
connection.wait-device-timeout: -1
802-11-wireless.ssid: fbx-sous-sol
802-11-wireless.mode: ap
802-11-wireless.band: --
802-11-wireless.channel: 0
802-11-wireless.bssid: --
802-11-wireless.rate: 0
802-11-wireless.tx-power: 0
802-11-wireless.mac-address: --
802-11-wireless.cloned-mac-address: --
802-11-wireless.generate-mac-address-mask:--
802-11-wireless.mac-address-blacklist: --
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu: auto
802-11-wireless.seen-bssids: 6C:FD:B9:B2:9B:CB
802-11-wireless.hidden: non
802-11-wireless.powersave: 0 (default)
802-11-wireless.wake-on-wlan: 0x1 (default)
802-11-wireless.ap-isolation: -1 (default)
802-11-wireless-security.key-mgmt: wpa-psk
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg: --
802-11-wireless-security.proto: --
802-11-wireless-security.pairwise: --
802-11-wireless-security.group: --
802-11-wireless-security.pmf: 0 (default)
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0: <hidden>
802-11-wireless-security.wep-key1: <hidden>
802-11-wireless-security.wep-key2: <hidden>
802-11-wireless-security.wep-key3: <hidden>
802-11-wireless-security.wep-key-flags: 0 (aucun)
802-11-wireless-security.wep-key-type: unknown
802-11-wireless-security.psk: <hidden>
802-11-wireless-security.psk-flags: 0 (aucun)
802-11-wireless-security.leap-password: <hidden>
802-11-wireless-security.leap-password-flags:0 (aucun)
802-11-wireless-security.wps-method: 0x0 (default)
802-11-wireless-security.fils: 0 (default)
ipv4.method: shared
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.addresses: --
ipv4.gateway: --
ipv4.routes: --
ipv4.route-metric: -1
ipv4.route-table: 0 (unspec)
ipv4.routing-rules: --
ipv4.ignore-auto-routes: non
ipv4.ignore-auto-dns: non
ipv4.dhcp-client-id: --
ipv4.dhcp-iaid: --
ipv4.dhcp-timeout: 0 (default)
ipv4.dhcp-send-hostname: oui
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.dhcp-hostname-flags: 0x0 (none)
ipv4.never-default: non
ipv4.may-fail: oui
ipv4.dad-timeout: -1 (default)
ipv4.dhcp-vendor-class-identifier: --
ipv4.dhcp-reject-servers: --
ipv6.method: ignore
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
ipv6.addresses: --
ipv6.gateway: --
ipv6.routes: --
ipv6.route-metric: -1
ipv6.route-table: 0 (unspec)
ipv6.routing-rules: --
ipv6.ignore-auto-routes: non
ipv6.ignore-auto-dns: non
ipv6.never-default: non
ipv6.may-fail: oui
ipv6.ip6-privacy: -1 (unknown)
ipv6.addr-gen-mode: stable-privacy
ipv6.ra-timeout: 0 (default)
ipv6.dhcp-duid: --
ipv6.dhcp-iaid: --
ipv6.dhcp-timeout: 0 (default)
ipv6.dhcp-send-hostname: oui
ipv6.dhcp-hostname: --
ipv6.dhcp-hostname-flags: 0x0 (none)
ipv6.token: --
proxy.method: none
proxy.browser-only: non
proxy.pac-url: --
proxy.pac-script: --
GENERAL.NAME: Wi-Fi-1
GENERAL.UUID: e86d3356-c643-426b-9adb-0d78af2c9e3e
GENERAL.DEVICES: wlx6cfdb9b29bcb
GENERAL.IP-IFACE: wlx6cfdb9b29bcb
GENERAL.STATE: activé
GENERAL.DEFAULT: non
GENERAL.DEFAULT6: non
GENERAL.SPEC-OBJECT: /org/freedesktop/NetworkManager/AccessPoint/11
GENERAL.VPN: non
GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/5
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/6
GENERAL.ZONE: internal
GENERAL.MASTER-PATH: --
IP4.ADDRESS[1]: 10.42.0.1/24
IP4.GATEWAY: --
IP4.ROUTE[1]: dst = 10.42.0.0/24, nh = 0.0.0.0, mt = 600
IP6.ADDRESS[1]: fe80::6efd:b9ff:feb2:9bcb/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 256Firewall internal zone
sudo firewall-cmd --permanent --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: wlx6cfdb9b29bcb
sources:
services: coturn-freedombox dhcp dhcpv6-client dns http https matrix-synapse-plinth mdns mumble-plinth quassel-plinth samba-client ssh tor-obfs3 tor-obfs4 tor-orport tor-socks transmission-client xmpp-bosh xmpp-client xmpp-server
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: I don't remember well, I may do a bad answer on last manual dist-upgrade arround firewalld via ssh CLI.
is forward: no (firewalld) could cause trouble I observed ?
Edited by Fred Le Meur