On 9/20/23 04:36, David C. Rankin wrote:
Archdevs,
Depending on how restrictive the iptables rules, if the IP for archlinux-keyring-wkd-sync falls into a blocked range, the logs quickly fill. An idea is to have the service insert a temporary rule to either (1) allow the IP for the sync check, or (2) allow established, related connections while the service runs.
It may also be worth updating the wiki to provide model rules for iptables/nftables to allow archlinux-keyring-wkd-sync to run successfully.
Just food for thought.
You brought this up in Feb [1] and then as now, I don't understand what actual problem you're facing. Inbound 'blocked ranges' (SYN packets) should have no effect. Nothing is 'inbound' to your machines other than replies initiated from your machine - i.e. ESTABLISHED,RELATED. So if you're not able to get replies from arch web servers back to your own machines, then likely your firewall rules are incorrect. As per the earlier thread, WKD is simply a "web key directory" service - so all the application is doing is pulling from a web server. Unless you're blocking outbound packets to such web servers everything should just work provided you allow arch to reply when you go their web servers. You should not need any nftables (or legacy iptables) rules provided you allow client machine to have access to the web servers. One caveat would be if using nftables instead of iptables. nftables supports 2 kinds of blocks - 'netdev' and 'inet'. 'inet' are the normal blocks. 'netdev' blocks very early - and any IPs blocked at that level would not allow inbound or even replies. For anything you want to get replies for you should use 'inet' blocks not netdev. iptables didn't have netdev blocks available last I used it several years ago. What problem do you actually have? best gene [1] https://lists.archlinux.org/archives/list/arch-general@lists.archlinux.org/t...