Had a similar issue other day. Didn't happen with Fedora
34, but with Fedora 35 had issue.
Have a 50M connection thru my cable modem, and
brother has a 15M connection with his TV connection.
Have a machine that connects to Cable modem via wired
network and to the TV network via Wifi. In past if cable
went down, the system would use the other connection.
Usually route shows the cable connection with 100, and
TV with 600. Power outage in area took out access to
Cable so, it changed to 2100 metric. ping and traceroute
would work, but browser and email would not work. Had
to physically unplug the wired connection to get wifi to
work. Later the cable came back up, and it was back to
the 100 metric, but system would not use it, seemed to be
stuck on wifi?? Rebooted machine, and it was fine.
So, 34 and before seemed to work fine with the two
connections, and handled if either went down. 35 seems
to have issues?? Haven't setup a 36 machine yet. Have 5
now with 35. Route seems to show he correct metrics, so
it should switch to using other network, but didn't.
Notebook is only machine connected to both networks
directly, and it has squid setup to allow machine
connected to TV network use the faster cable modem.
Was only down for about 2 hours, so didn't do much
testing.
On 8 Jul 2022 at 23:38, D. Hugh Redelmeier wrote:
Date sent: Fri, 8 Jul 2022 23:38:48 -0400 (EDT)
From: "D. Hugh Redelmeier"
<hugh(a)mimosa.com>
To: users(a)lists.fedoraproject.org
Subject: firewalld problems
Send reply to: "D. Hugh Redelmeier"
<hugh(a)mimosa.com>, Community support for Fedora
users <users(a)lists.fedoraproject.org>
I updated from Fedora 34 to 36 on my gateway machine.
Computers on the LAN could no longer access the POP3 server.
Somehow some service settings got lost.
What else got lost in the transition?
NAT/forwarding no longer works. This didn't matter because there is a
second gateway with a much faster internet connection. Except it
mattered today because Rogers Communications internet and phone
service went out, across their service area in Canada. When I tried
to use the gateway with F36, it would not work.
Just as a simple example, from the LAN
ping external-site
generated a "Packet filtered" response returned by the gateway.
On the other hand this worked fine:
ping gw-LAN-address
and so did
ping gw-public-address
This looks like a problem with forwarding.
googling got me this:
<
https://www.it-hure.de/2021/12/firewalld-fedora-34-35-masquerade-between-...
It proposed this:
firewall-cmd --permanent --new-policy policy_int_to_ext
firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone public
firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external
firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100
firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT
firewall-cmd --permanent --zone=external --add-masquerade
systemctl restart firewalld
firewall-cmd --info-policy policy_int_to_ext
I tried this (replacing "public" with the right zone for my setup).
This isn't quite working. tcpdumping the gateways external port, I
can see the ICMP Echo Request makes it out and an ICMP Echo Reply
comes back, but it never make it into the LAN.
Ditto for ssh.
Can anyone see what I've missed?
Where can I see "policy" stuff in the firewall GUI? I haven't found
it.
Another oddity. After I did the proposed firewall changes listed
above, I dumped the netfilter rules "nft -l" and compared them with
the previous dump. There seemed to be a certain amount of
refactoring: there were separate functions for virbr0. Why?
I no longer have confidence in the migrated firewall config.
Is there a way to start over, as if this were a fresh installation of
Fedora 36.
I think the "policy" feature is just what I need for other problems, so it
is great to see this addition. It seems too sparsely documented for me to
completely understand it. Boy is "policly" an overused term in
networking.
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
+------------------------------------------------------------+
Michael D. Setzer II - Computer Science Instructor
(Retired)
mailto:mikes@guam.net
mailto:msetzerii@gmail.com
Guam - Where America's Day Begins
G4L Disk Imaging Project maintainer
http://sourceforge.net/projects/g4l/
+------------------------------------------------------------+