Debian 12 (Bookworm) release and upgrading

Debian 12 (Bookworm), the next stable version of Debian, is planned to be released on 2023-06-10 [1].

FreedomBox can update itself to use the new version of Debian after it is released. To enable this feature, on the System → Update page, ensure that both “Enable auto-update” and “Enable auto-update to next stable release” options are enabled. Note that there must also be 5 GB free space on the system disk, in order for the automatic update to proceed. See the manual page [2] for more details.

Before the automatic update to the next release starts, it is recommended to have the following in place:

  • Backups, stored to a remote location or secondary disk.
  • Storage Snapshots

[1] bookworm release planned on 2023-06-10 and the last weeks up to the release
[2] FreedomBox/Manual/Upgrades - Debian Wiki



Set yourself up for success going into the release upgrade cycle if you are using, “auto-update to next stable release.”

  • Plug your Freedombox in to AC Power
  • Plug in an ethernet cable to your Freedombox if you have that option
  • Commit to not changing configuration or packages until the upgrade completes, you may otherwise use your Freedombox normally.
  • Monitor the upgrade process if you want to
    • You may see a notification in Plinth that the bookworm release update is in progress
    • You may notice sustained high CPU usage and diminished performance during the upgrade
    • The upgrade may take days to complete
    • Services may get curtailed during the upgrade as the package and dependencies are upgraded. They will restart when the upgrade completes

Don’t touch it.

Be patient. It takes my Freedombox maybe two days to grind through a release upgrade. It will reboot when it finishes and you’ll have the upgrade notification in plinth.

See you on the other side!


Bookworm Release Announcement has some things to be aware of.

GRUB for Dual-Boot Users

GRUB packages will by default no longer run os-prober for other operating systems.


Are we good here, @jvalleroy ?

5.1.9. slapd upgrade may require manual intervention

OpenLDAP 2.5 is a major new release and includes several incompatible changes as described in the upstream release announcement. Depending on the configuration, the slapd service might remain stopped after the upgrade, until necessary configuration updates are completed.

The following are some of the known incompatible changes:

  • The slapd-bdb(5) and slapd-hdb(5) database backends have been removed. If you are using one of these backends under bullseye, it is strongly recommended to migrate to the slapd-mdb(5) backend before upgrading to bookworm.
  • The slapd-shell(5) database backend has been removed.
  • The slapo-ppolicy(5) overlay now includes its schema compiled into the module. The old external schema, if present, conflicts with the new built-in one.
  • The pw-argon2 contrib password module has been renamed to argon2.

Instructions for completing the upgrade and resuming the slapd service can be found in /usr/share/doc/slapd/README.Debian.gz. You should also consult the upstream upgrade notes.

IPtables install failure bug

If you use Freedombox for router and firewall and it does not work after bookworm upgrade, look into this bug.

Check for the existence of these files if you have a problem. If some are missing you may be experiencing this bug. I think you are likely to see /sbin/iptables, but none of the others.


non-free firmware is moved to its own repository.

You may need to modify /etc/apt/sources.list to get all of your hardware working ship-shape. Non-free firmware used to live in ‘non-free’, but now will live in, ‘non-free-firmware’.


We don’t use iptables. We have shifted to nftables (‘nft’ command) backend for firewalld in the previous stable release bullseye. We also don’t use any of the iptables commands directly.

1 Like

I just spent 2 hours figuring out what went wrong with my automatic upgrade.

My router just completely stopped working at midnight local time.

I noticed the Debian 12 upgrade and purged the iptables bits based on the earlier response, but nothing seemed to work.

Packets were no longer being forwarded.

Thanks to a Fedora bugzilla report, I finally have my router working again.

Hopefully, others will find this helpful.

How did this get missed?

1 Like

Sorry but I am completly ignorant about firewall.

After upgrade, I can contact my Pioneer box with ssh but anything else does not answer, including the web interface. I found out that I can change /etc/firewalld/firewalld.conf to have logging and then I see things like:

fbox kernel: filter_IN_public_REJECT: IN=end0 OUT= MAC=02:99:0b:41:e2:2a:02:0a:04:80:e0:fc:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54594 DF PROTO=TCP SPT=56114 DPT=443 WINDOW=64240 RE is the machine trying to access my freedombox. Does this “REJECT” mean that the packet was dropped?

I tried to do exactly what was in the link that you provided (as I have zero understanding);

firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT

firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --permanent --zone=internal --add-forward
systemctl restart firewalld.service

However, this has changed nothing. On my freedombox, from plinth, I remember I did something like setting some interface as external in order to access internet via the freedombox when connected with openvpn to the freedombox, perhaps this means something different is needed?

I looked into /etc/firewalld, I found:

  • firewalld.conf, from today
  • firewalld.conf.dpkg-old, from 29 January, perhaps when I last reinstalled
  • firewalld.conf.old is from 2021

I compared filrewalld.conf and firewalld.conf.dpkg-old and noticed that DefaultZone=public in firewalld.conf was instead DefaultZone=external in firewalld.conf.dpg-old.

I changed DefaultZone to external in firewalld.conf and restarted firewalld.service (systemctl restart firewalld.service) and now, I can access the web interface again.

This allowed me to run diagnostics and see that everything is ok.

So perhaps my upgrade is ok, the only issue was the firewall? I don’t know whether I got the solution right.


Had the same issue. Changing the default zone back to ‘external’ seems to have fixed it.

1 Like

Thx, this did the job. FB is up and running again. I could initiate the upgrade in the system-section, and so far everything except tt-rss is working as expected.