- Create new policy that allows forwarding between zones.
See: https://bugzilla.redhat.com/show_bug.cgi?id=2016864#c8
- Increment version to perform setup on upgrade.
Closes: #2355
Tests:
- Build freedombox package, and install on top of Bookworm VM The
firewall setup is performed. firewall-cmd lists the fbx_int_to_ext_fwd
policy, masquerade on external zone, and forward on internal zone.
Not tested:
- I did not test forwarding traffic from external to internal zone.
However, several users have reported following these instructions on
the forum, and that it solved the issue for them.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Minor refactors for readability]
[sunil: Ensure that operation is idempotent]
[sunil: Reload instead of restarting firewalld]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Helps: #2410.
- Ensure that diagnostics methods and parameters are type checked so that we can
catch any potential issues.
- Move plinth/modules/diagnostics/check.py to plinth/diagnostic_check.py to
avoid many circular dependencies created. This is due to
plinth.modules.diagnostics automatically imported when
plinth.modules.diagnostics.check is imported. Also app.py is already (type)
dependent on diagnostic_check due to diagnose() method. To make the Check
classes independent of diagnostic module is okay.
Tests:
- Run make check-type.
- Run full diagnostics with following apps installed: torproxy, tor.
- Test to netcat to 9051 in tor works.
- Test 'port available for internal/external networks' in firewall works.
- Test 'Package is latest' works.
- Test 'Access url with proxy' in privoxy works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Also move tests for diagnostic_check]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Check that there are at least 12 direct passthroughs.
Tests:
- The diagnostic is passed.
- Manually remove a direct passthrough. The diagnostic is failed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Change the backend to iptables, and restart firewalld. The diagnostic
is failed.
- Change the backend back to nftables, and restart firewalld. The
diagnostic is passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Use augeas transform operation]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Change the firewalld default zone to public, and restart firewalld.
The diagnostic is failed.
- Change the default zone back to external, and restart firewalld. The
diagnostic is passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- On a fresh container, run FreedomBox service. Notice that firewall app setup
succeeds. Base setup rules are inserted into the nftables as checked with 'nft
list ruleset ip' and 'nft list ruleset ipv6'.
- When firewalld is restarted or reloaded, the rules are still present.
- When machine is restarted, the rules are still present.
- Without the patch, setup a container. Then apply patches and restart
FreedomBox service. App setup runs again however, duplicate rules are listed in
nftables as checked with 'nft list ruleset ip' and 'nft list ruleset ipv6'.
- Increment setup version of the firewall app manually and repeat the test.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- If a daemon is not-running, we already show an error message to the user. Use
that mechanism instead of the custom one.
Tests:
- Functional tests work.
- Initial setup for firewall on first boot works.
- Default zone of the firewalld is set to external in /etc/firewalld.conf
- Status of various apps is shown properly in the app page
- If firewalld is not running, the app page is still displayed properly and
message that firewalld is not running is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
