Had a similar issue other day. Didn't happen with Fedora 34, but with Fedora 35 had issue. Have a 50M connection thru my cable modem, and brother has a 15M connection with his TV connection. Have a machine that connects to Cable modem via wired network and to the TV network via Wifi. In past if cable went down, the system would use the other connection. Usually route shows the cable connection with 100, and TV with 600. Power outage in area took out access to Cable so, it changed to 2100 metric. ping and traceroute would work, but browser and email would not work. Had to physically unplug the wired connection to get wifi to work. Later the cable came back up, and it was back to the 100 metric, but system would not use it, seemed to be stuck on wifi?? Rebooted machine, and it was fine. So, 34 and before seemed to work fine with the two connections, and handled if either went down. 35 seems to have issues?? Haven't setup a 36 machine yet. Have 5 now with 35. Route seems to show he correct metrics, so it should switch to using other network, but didn't. Notebook is only machine connected to both networks directly, and it has squid setup to allow machine connected to TV network use the faster cable modem. Was only down for about 2 hours, so didn't do much testing. On 8 Jul 2022 at 23:38, D. Hugh Redelmeier wrote: Date sent: Fri, 8 Jul 2022 23:38:48 -0400 (EDT) From: "D. Hugh Redelmeier" <hugh@xxxxxxxxxx> To: users@xxxxxxxxxxxxxxxxxxxxxxx Subject: firewalld problems Send reply to: "D. Hugh Redelmeier" <hugh@xxxxxxxxxx>, Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > I updated from Fedora 34 to 36 on my gateway machine. > > Computers on the LAN could no longer access the POP3 server. > Somehow some service settings got lost. > > What else got lost in the transition? > > NAT/forwarding no longer works. This didn't matter because there is a > second gateway with a much faster internet connection. Except it > mattered today because Rogers Communications internet and phone > service went out, across their service area in Canada. When I tried > to use the gateway with F36, it would not work. > > Just as a simple example, from the LAN > ping external-site > generated a "Packet filtered" response returned by the gateway. > On the other hand this worked fine: > ping gw-LAN-address > and so did > ping gw-public-address > > This looks like a problem with forwarding. > > googling got me this: > <https://www.it-hure.de/2021/12/firewalld-fedora-34-35-masquerade-between-zones-not-working-anymore/> > > It proposed this: > > firewall-cmd --permanent --new-policy policy_int_to_ext > firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone public > firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external > firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100 > firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT > firewall-cmd --permanent --zone=external --add-masquerade > systemctl restart firewalld > firewall-cmd --info-policy policy_int_to_ext > I tried this (replacing "public" with the right zone for my setup). > > This isn't quite working. tcpdumping the gateways external port, I > can see the ICMP Echo Request makes it out and an ICMP Echo Reply > comes back, but it never make it into the LAN. > > Ditto for ssh. > > Can anyone see what I've missed? > > Where can I see "policy" stuff in the firewall GUI? I haven't found > it. > > Another oddity. After I did the proposed firewall changes listed > above, I dumped the netfilter rules "nft -l" and compared them with > the previous dump. There seemed to be a certain amount of > refactoring: there were separate functions for virbr0. Why? > > I no longer have confidence in the migrated firewall config. > Is there a way to start over, as if this were a fresh installation of > Fedora 36. > > I think the "policy" feature is just what I need for other problems, so it > is great to see this addition. It seems too sparsely documented for me to > completely understand it. Boy is "policly" an overused term in > networking. > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@xxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
