firewalld does not allow outbound traffic when masquerading.

To: Debian Users <debian-user@lists.debian.org>
Subject: firewalld does not allow outbound traffic when masquerading.
From: Charles Curley <charlescurley@charlescurley.com>
Date: Sat, 20 Sep 2025 21:16:00 -0600
Message-id: <[🔎] 20250920211600.09267be7@peregrine.localdomain>

I just installed trixie on my firewall. I have port forwarding set up,
running and tested from the outside. I can access services on the
server from the internal network, such as DNS. So far so good.

What I do not have is outbound traffic getting through to the outside
world. Neither tcp nor icmp work.

This is the interface to the outside world:

root@issola:~# firewall-cmd --list-all
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
	port=obfuscated:proto=tcp:toport=22:toaddr=192.168.100.6
  source-ports: 
  icmp-blocks: 
  rich rules: 
root@issola:~# 

I see a lot of outgoing traffic blocked at the firewall, e.g.:

Sep 20 21:04:43 issola kernel: filter_FWD_home_REJECT: IN=enp1s0 OUT=enp3s0 MAC=68:1d:ef:32:55:ab:f8:da:0c:4b:31:19:08:00 SRC=192.168.100.47 DST=xx.xxx.34.105 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27402 DF PROTO=TCP SPT=49738 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Reply to:

Follow-Ups:
- Re: firewalld does not allow outbound traffic when masquerading.
  - From: Charles Curley <charlescurley@charlescurley.com>

Prev by Date: Re: Combine PDF files
Next by Date: Re: Help with my question, please.
Previous by thread: Re: Firmware upgrade on a Mac Mini A1283 ... 2008.
Next by thread: Re: firewalld does not allow outbound traffic when masquerading.
Index(es):
- Date
- Thread