Re: [CentOS] firewalld: removing rich-rules based on its own list fails

2021-12-22 Thread Patrick via CentOS 

Hi Kenneth,

On 22-12-2021 22:39, Kenneth Porter wrote:
--On Wednesday, December 22, 2021 8:03 PM +0100 Patrick via CentOS 
 wrote:



Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4"
source NOT address="46.23.XX.0/24" forward-port port="53" protocol="udp"
to-port="60053" to-addr="46.23.XX.53"


If you don't get help here, you might try one of the firewalld mailing 
lists or other support resources here:




I'm curious to hear what you discover. (This might be a bug that 
warrants a patch for the CentOS package.)


Thanks for the pointer. I'll follow up with the firewalld ML and if 
anything surfaces will let you know.


Best,
Patrick
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld: removing rich-rules based on its own list fails

2021-12-22 Thread Kenneth Porter 
--On Wednesday, December 22, 2021 8:03 PM +0100 Patrick via CentOS 
 wrote:



Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4"
source NOT address="46.23.XX.0/24" forward-port port="53" protocol="udp"
to-port="60053" to-addr="46.23.XX.53"


If you don't get help here, you might try one of the firewalld mailing 
lists or other support resources here:




I'm curious to hear what you discover. (This might be a bug that warrants a 
patch for the CentOS package.)




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld: removing rich-rules based on its own list fails

2021-12-22 Thread Patrick via CentOS 

Hi,

I have some ansible roles which each create some firewalld rich-rules. 
For ansible idempotency I tried to remove any dns related rich-rules 
before creating the ones in the playbook. After some searching I came up 
with this:


#!/bin/bash
OLDIFS=$IFS
IFS=''
while read -r line; do firewall-cmd --zone=public --permanent 
--remove-rich-rule=\'$line\'; done <<< $(firewall-cmd --zone=public 
--list-rich-rules | egrep 'dns|53')

IFS=$OLDIFS

But this fails with for example:

Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4" 
source NOT address="46.23.XX.0/24" forward-port port="53" protocol="udp" 
to-port="60053" to-addr="46.23.XX.53"


My googling & variations came up empty. Anyone know why this is failing 
and could possibly share how to make this work?


Thanks!

Best,
Patrick
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld - same source in different zones

2021-02-08 Thread Łukasz Posadowski 
W dniu pon, 08.02.2021 o godzinie 15∶30 -0500, użytkownik Jonathan
Billings napisał:
> On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
> > 
> > 
> > Hi.
> > 
> > I have a little trouble with firewalld. I'm trying to open some
> > ports
> > for monitoring server, but it's in the same network as "home" zone:
> > 
> > Monitored host (192.168.111.60):
> > 
> > lukasz @ strategie 17:52:19  ~ $ 
> >   ->  sudo firewall-cmd --get-active
> > home
> >   sources: 192.168.111.0/24
> >   (open ports 22, 80, 443)
> > monitoring
> >   sources: 192.168.111.19
> >   (open ports: 5666)
> > public
> >   interfaces: ens18
> >   (no open ports)
> > 
> > ---
> > 
> > Monitoring host (192.168.111.19):
> > 
> > lukasz @ potemkin 17:57:25  ~ $ 
> >   ->  telnet strategie.ping.local 5666
> > Trying 192.168.111.60...
> > telnet: connect to address 192.168.111.60: No route to host
> > 
> > lukasz @ potemkin 17:57:26  ~ $ 
> >   ->  telnet strategie.ping.local 80
> > Trying 192.168.111.60...
> > Connected to strategie.ping.local.
> > Escape character is '^]'.
> > ^]
> > telnet> Connection closed.
> > 
> > ---
> > 
> > I think there are conflicting rules on a monitored host, that:
> > - prevent access to 5666 from 192.168.111.0/24,
> > - give access to 5666 from 192.168.111.19
> > and packets from potemkin are routed trough a home zone.
> > 
> > I really would like to have dedicated "monitor" zone. Is there a
> > way to
> > give "monitor" zone more priority, than "home"? I may end with
> > OpenVPN
> > on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
> > encryption aspect, it seems a little excessive.
> 
> You can do it with rich rules, which have a priority.  Basically, if
> you set priority to < 0, it goes into a _pre table which gets
> evaluated before the other zones:
> 
> Blog about it:
> https://firewalld.org/2018/12/rich-rule-priorities
> 
> Unfortunately, this was introduced in firewalld v0.7.0 which isn't in
> CentOS 7.  I'm not sure if the functionality has been backported, but
> the firewalld.richlanguage man page on my c7 system doesn't mention
> it.  It should work on CentOS 8+.
> 
> Another solution is to set a direct rule, which is evaluated first.
> 
> Lastly, its my experience that firewalld evaluates the configuration
> of zones lexically, so if the monitoring zone happens to sort
> (LANG=C)
> before the other zone, it'll be evaluated first.  Don't trust that
> this behavior will always be the case.
> 

I'm with Centos 8 (and fedora), so it should work. Thank You, I'll try
with rich rules.

-- 
Łukasz Posadowski


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld - same source in different zones

2021-02-08 Thread Jonathan Billings 
On Mon, Feb 08, 2021 at 06:19:07PM +0100, Łukasz Posadowski wrote:
>
> 
> Hi.
> 
> I have a little trouble with firewalld. I'm trying to open some ports
> for monitoring server, but it's in the same network as "home" zone:
> 
> Monitored host (192.168.111.60):
> 
> lukasz @ strategie 17:52:19  ~ $ 
>   ->  sudo firewall-cmd --get-active
> home
>   sources: 192.168.111.0/24
>   (open ports 22, 80, 443)
> monitoring
>   sources: 192.168.111.19
>   (open ports: 5666)
> public
>   interfaces: ens18
>   (no open ports)
> 
> ---
> 
> Monitoring host (192.168.111.19):
> 
> lukasz @ potemkin 17:57:25  ~ $ 
>   ->  telnet strategie.ping.local 5666
> Trying 192.168.111.60...
> telnet: connect to address 192.168.111.60: No route to host
> 
> lukasz @ potemkin 17:57:26  ~ $ 
>   ->  telnet strategie.ping.local 80
> Trying 192.168.111.60...
> Connected to strategie.ping.local.
> Escape character is '^]'.
> ^]
> telnet> Connection closed.
> 
> ---
> 
> I think there are conflicting rules on a monitored host, that:
> - prevent access to 5666 from 192.168.111.0/24,
> - give access to 5666 from 192.168.111.19
> and packets from potemkin are routed trough a home zone.
> 
> I really would like to have dedicated "monitor" zone. Is there a way to
> give "monitor" zone more priority, than "home"? I may end with OpenVPN
> on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
> encryption aspect, it seems a little excessive.

You can do it with rich rules, which have a priority.  Basically, if
you set priority to < 0, it goes into a _pre table which gets
evaluated before the other zones:

Blog about it:
https://firewalld.org/2018/12/rich-rule-priorities

Unfortunately, this was introduced in firewalld v0.7.0 which isn't in
CentOS 7.  I'm not sure if the functionality has been backported, but
the firewalld.richlanguage man page on my c7 system doesn't mention
it.  It should work on CentOS 8+.

Another solution is to set a direct rule, which is evaluated first.

Lastly, its my experience that firewalld evaluates the configuration
of zones lexically, so if the monitoring zone happens to sort (LANG=C)
before the other zone, it'll be evaluated first.  Don't trust that
this behavior will always be the case.

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld - same source in different zones

2021-02-08 Thread Łukasz Posadowski 

Hi.

I have a little trouble with firewalld. I'm trying to open some ports
for monitoring server, but it's in the same network as "home" zone:

Monitored host (192.168.111.60):

lukasz @ strategie 17:52:19  ~ $ 
  ->  sudo firewall-cmd --get-active
home
  sources: 192.168.111.0/24
  (open ports 22, 80, 443)
monitoring
  sources: 192.168.111.19
  (open ports: 5666)
public
  interfaces: ens18
  (no open ports)

---

Monitoring host (192.168.111.19):

lukasz @ potemkin 17:57:25  ~ $ 
  ->  telnet strategie.ping.local 5666
Trying 192.168.111.60...
telnet: connect to address 192.168.111.60: No route to host

lukasz @ potemkin 17:57:26  ~ $ 
  ->  telnet strategie.ping.local 80
Trying 192.168.111.60...
Connected to strategie.ping.local.
Escape character is '^]'.
^]
telnet> Connection closed.

---

I think there are conflicting rules on a monitored host, that:
- prevent access to 5666 from 192.168.111.0/24,
- give access to 5666 from 192.168.111.19
and packets from potemkin are routed trough a home zone.

I really would like to have dedicated "monitor" zone. Is there a way to
give "monitor" zone more priority, than "home"? I may end with OpenVPN
on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
encryption aspect, it seems a little excessive.

Thank You.

-- 
Łukasz Posadowski


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld / iptables / nftables

2020-06-09 Thread Leon Fauster via CentOS 

Am 09.06.20 um 15:27 schrieb Chris Adams:

Once upon a time, Jonathan Billings  said:

'iptables' and 'nftables' are competing technologies.  In CentOS 8,
firewalld's backend was switched from iptables to nftables.  So it
would be expected that the iptables command wouldn't have any rules
defined, it isn't being used by firewalld.


That is partially incorrect.  While iptables and nftables are two
different in-kernel firewalls, the iptables CLI command is now a wrapper
that can translate to the nftables backend for compatibility.

However, it can only manage a subset of nftables information (basically
what it can create in the iptables back-compat mode).  The nftables
rules created by firewalld don't fall into that category, so can't be
viewed by iptables.

Instead, use the nft command, like "nft list ruleset" to see a dump of
all current rules.


This sounds reasonable albeit it raises another question. How does the
netfilter workflow looks like when firewalld generated rules and 
iptables generated rules (coming from migration activities) are 
processed. How are both categories of rules interwoven? I assume taking

only the nftables path will be the cleanest and preferred one ... but
I can not avoid running some iptables tests.

--
Thanks,
Leon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld / iptables / nftables

2020-06-09 Thread Chris Adams 
Once upon a time, Jonathan Billings  said:
> 'iptables' and 'nftables' are competing technologies.  In CentOS 8,
> firewalld's backend was switched from iptables to nftables.  So it
> would be expected that the iptables command wouldn't have any rules
> defined, it isn't being used by firewalld.

That is partially incorrect.  While iptables and nftables are two
different in-kernel firewalls, the iptables CLI command is now a wrapper
that can translate to the nftables backend for compatibility.

However, it can only manage a subset of nftables information (basically
what it can create in the iptables back-compat mode).  The nftables
rules created by firewalld don't fall into that category, so can't be
viewed by iptables.

Instead, use the nft command, like "nft list ruleset" to see a dump of
all current rules.

-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld / iptables / nftables

2020-06-09 Thread Stephen John Smoogen 
On Tue, 9 Jun 2020 at 08:19, Leon Fauster via CentOS 
wrote:

> Despite that the migration of our applications comes with a significant
> workload. It seems that also every aspect of common services had changed
> with EL8.
>
> In EL8 firewalld uses nftables as backend. I wonder why iptables does
> not list any rules while also configured to use nftables as backend.
>
> # iptables -V
> iptables v1.8.2 (nf_tables)
>
>
> # firewall-cmd --list-all |egrep -o '22|ssh'
> ssh
>
>
Maybe it's only defined to work for ipv6? Shouldn't there be 2 entries for
ssh?


> # nft list ruleset | egrep -o '22|ssh'
> ssh
>
> # iptables -L -n | egrep -o '22|ssh'
> 
>
> Any hints?
>
> --
> Leon
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld / iptables / nftables

2020-06-09 Thread Jonathan Billings 
On Tue, Jun 09, 2020 at 02:19:17PM +0200, Leon Fauster via CentOS wrote:
>
> Despite that the migration of our applications comes with a significant
> workload. It seems that also every aspect of common services had changed
> with EL8.
> 
> In EL8 firewalld uses nftables as backend. I wonder why iptables does not
> list any rules while also configured to use nftables as backend.
> 
> # iptables -V
> iptables v1.8.2 (nf_tables)
> 
> 
> # firewall-cmd --list-all |egrep -o '22|ssh'
> ssh
> 
> # nft list ruleset | egrep -o '22|ssh'
> ssh
> 
> # iptables -L -n | egrep -o '22|ssh'
> 
> 
> Any hints?

'iptables' and 'nftables' are competing technologies.  In CentOS 8,
firewalld's backend was switched from iptables to nftables.  So it
would be expected that the iptables command wouldn't have any rules
defined, it isn't being used by firewalld.

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld / iptables / nftables

2020-06-09 Thread Leon Fauster via CentOS 
Despite that the migration of our applications comes with a significant 
workload. It seems that also every aspect of common services had changed 
with EL8.


In EL8 firewalld uses nftables as backend. I wonder why iptables does 
not list any rules while also configured to use nftables as backend.


# iptables -V
iptables v1.8.2 (nf_tables)


# firewall-cmd --list-all |egrep -o '22|ssh'
ssh

# nft list ruleset | egrep -o '22|ssh'
ssh

# iptables -L -n | egrep -o '22|ssh'


Any hints?

--
Leon
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld direct.xml

2020-03-24 Thread Phil Perry 

On 24/03/2020 18:26, Jerry Geis wrote:

it looks like it does work - it just takes a REAL long time to load with
"many" entries in the file.
iptables was never slow. firewalld seems inefficient.

I was able to add the line - restart the firewall, (wait) - see my packets
dropped - remove the line -
restart the firewall (wait) and able to ping again.

I thought this "Direct.xml" file would be the fastest way for firewalld -
but there is multi-minute wait to restart. I have about 14000 entries.



I would think ipset would be a more suitable tool for the task in hand 
which can do the task instantly if you create and update a copy of your 
set and then swap the sets.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld direct.xml

2020-03-24 Thread Jerry Geis 
it looks like it does work - it just takes a REAL long time to load with
"many" entries in the file.
iptables was never slow. firewalld seems inefficient.

I was able to add the line - restart the firewall, (wait) - see my packets
dropped - remove the line -
restart the firewall (wait) and able to ping again.

I thought this "Direct.xml" file would be the fastest way for firewalld -
but there is multi-minute wait to restart. I have about 14000 entries.

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewalld direct.xml

2020-03-24 Thread Jerry Geis 
HI All -  I created a /etc/firewalld/direct.xml file and put in it :




-s
192.168.1.8  -j blacklist


I rebooted, so then from the 192.168.1.8 machine I tried to ping the
machine. I responds.
I was expecting it not to respond?

What do I not have right with the direct.xml file ?

Thanks

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-15 Thread Kenneth Porter 
--On Friday, December 14, 2018 11:48 PM -0500 Jon LaBadie  
wrote:



I don't play with iptables, so I assume it is a legacy
continued from CentOS 6.x.  I'll gladly remove the
iptables service package.


firewalld is a user-space layer on top of the kernel's iptables machinery. 
It provides for dynamic changes to the underlying iptables firewall. The 
old firewall configuration (iptables.service, previously implemented as an 
initscript in older CentOS versions) assumed a static firewall that was 
loaded once at boot time. Changes required flushing the entire set of rules 
and starting again, but that would disrupt running network applications. 
Firewalld is a higher level description that is able to and and remove 
rules on a running machine without disrupting applications. It still uses 
the iptables machinery under the hood. It's good for dynamic systems like 
mobile devices where interfaces come and go and the device changes networks 
frequently. 
___

CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-15 Thread Kenneth Porter 
--On Friday, December 14, 2018 11:48 PM -0500 Jon LaBadie  
wrote:



   https://pastebin.com/njaqR87f


The rule names all look like standard builtins. Are the iptables modules 
loading into the kernel? Run lsmod and post that to pastebin. (I don't know 
what loads the firewall modules in CentOS 7.)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Jon LaBadie 
On Fri, Dec 14, 2018 at 04:55:33PM -0800, Kenneth Porter wrote:
> --On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie 
> wrote:
> 
> > Well, there are about 20 of them and several screen widths
> > long.  However they all end with one of two reasons:
> > 
> >   : No chain/target/match by that name.
> >   : Bad rule (does a matching rule exist in that chain?).
> 
> Put them on a pastebin so we can see them at full width. The chain names
> should tell us what's responsible for them.
> 
   https://pastebin.com/njaqR87f
> 
> Note that the iptables utilities and the iptables service are distinct. I
> install the utilities so that I can inspect the kernel chains that filterd
> creates. But I don't install the iptables service.

I don't play with iptables, so I assume it is a legacy
continued from CentOS 6.x.  I'll gladly remove the
iptables service package.

Jon
-- 
Jon H. LaBadie j...@jgcomp.com
 11226 South Shore Rd.  (703) 787-0688 (H)
 Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Gordon Messmer 

On 12/14/18 2:57 PM, Jon LaBadie wrote:

Well, there are about 20 of them and several screen widths
long.  However they all end with one of two reasons:

   : No chain/target/match by that name.
   : Bad rule (does a matching rule exist in that chain?).



If you don't include the errors, all we can do is guess.  The name of 
the chain that doesn't exist is probably key to explaining the error.


Docker is one possible reason for such errors:

https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match-by-that-name

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Kenneth Porter 
--On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie  
wrote:



Well, there are about 20 of them and several screen widths
long.  However they all end with one of two reasons:

  : No chain/target/match by that name.
  : Bad rule (does a matching rule exist in that chain?).


Put them on a pastebin so we can see them at full width. The chain names 
should tell us what's responsible for them.



After the update I got email from "ckservices" that firewalld was down.
I saw the above mentioned iptable errors and checked the iptables.service
to find it masked.  I shutdown firewalld, unmasked, enabled, and started
iptables.service and then firewalld.  Same errors.  So I shutdown iptables
service, masked it, and restarted firewalld.


Note that the iptables utilities and the iptables service are distinct. I 
install the utilities so that I can inspect the kernel chains that filterd 
creates. But I don't install the iptables service.





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Warren Young 
On Dec 14, 2018, at 3:57 PM, Jon LaBadie  wrote:
> 
>  : Bad rule (does a matching rule exist in that chain?).

That makes sense: the old iptables service installed several default chains, 
and firewalld does as well, but they’re not named the same, and I doubt there’s 
a 1:1 mapping between them.

That’s part of why I advised you to use one or the other, not both.  Another 
reason is that their persistent rule stores use entirely different file 
formats, in different locations.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Jon LaBadie 
On Fri, Dec 14, 2018 at 03:14:12PM -0700, Warren Young wrote:
> On Dec 14, 2018, at 2:30 PM, Jon LaBadie  wrote:
> > 
> > After a recent large update, firewalld's status contains
> > many lines of the form:
> > 
> >  WARNING: COMMAND_FAILED: '/usr/sbin/iptables…
> 
> What’s the rest of the command?

Well, there are about 20 of them and several screen widths
long.  However they all end with one of two reasons:

  : No chain/target/match by that name.
  : Bad rule (does a matching rule exist in that chain?).

> 
> > Checking iptables.service status shows it to be masked.
> 
> That’s probably from package iptables-services, which isn’t installed by 
> default on purpose. It’s the legacy service from before firewalld was made 
> the default.  Use one or the other, not both.
> 

After the update I got email from "ckservices" that firewalld was down.
I saw the above mentioned iptable errors and checked the iptables.service
to find it masked.  I shutdown firewalld, unmasked, enabled, and started
iptables.service and then firewalld.  Same errors.  So I shutdown iptables
service, masked it, and restarted firewalld.

> I strongly recommend that you use firewalld ...
> 
Never planned to do otherwise.  Just was uncertain if iptables.service
had to run also.

Thanks,
Jon
-- 
Jon H. LaBadie j...@jgcomp.com
 11226 South Shore Rd.  (703) 787-0688 (H)
 Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Warren Young 
On Dec 14, 2018, at 3:14 PM, Warren Young  wrote:
> 
>alias fcp="sudo firewall-cmd —permanent"

These commands are top-of-mind for me at the moment because I just configured a 
Raspberry Pi based network appliance at home, and installed firewalld on it for 
the purpose because I like it so much better than raw iptables commands.

The default OS for the Raspberry Pi is derived from Debian, which has firewalld 
in its package repository but doesn’t use it by default.  I found it well worth 
going out of my way to get firewalld on that Pi.

Good stuff!
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewalld and iptables

2018-12-14 Thread Warren Young 
On Dec 14, 2018, at 2:30 PM, Jon LaBadie  wrote:
> 
> After a recent large update, firewalld's status contains
> many lines of the form:
> 
>  WARNING: COMMAND_FAILED: '/usr/sbin/iptables…

What’s the rest of the command?

> Checking iptables.service status shows it to be masked.

That’s probably from package iptables-services, which isn’t installed by 
default on purpose. It’s the legacy service from before firewalld was made the 
default.  Use one or the other, not both.

I strongly recommend that you use firewalld instead of the old iptables 
service.  While firewalld is based on the kernel’s iptables facility, it gives 
many additional capabilities that you don’t get with raw iptables commands.  
The old service was little more than a macro system for raw iptables commands.  

Contrast firewalld, which:

1. Integrates with systemd.

2. Understands “services” as opposed to just raw port numbers and such.  This 
is especially valuable with complex services like NFS.  With iptables…well, you 
forgot to allow rpc.portmap again, didn’t you? :)

3. Updates the firewall in real time, live.  You can do this by hand with raw 
iptables commands, but the syntax for inserting new rules at the right place in 
the tables is awkward.  Firewalld automates all of that for you.

4. Add --permanent to a new rule to save it securely to the rule set loaded on 
startup.  Contrast iptables, where you’re often running across blog articles 
and such that talk about saving such rules separately to /etc/rc.local and 
such, or editing /etc/sysconfig/iptables directly.

5. If you prefer the “update global config and reload” pattern of the old 
system-config-firewall scheme from CentOS 6, you can do that with firewalld, 
too:

alias fcp="sudo firewall-cmd --permanent"
fcp --add-service foo
fcp --add-port somename/tcp
…more fcp commands here…
sudo firewall-cmd --reload


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewalld and iptables

2018-12-14 Thread Jon LaBadie 
After a recent large update, firewalld's status contains
many lines of the form:

  WARNING: COMMAND_FAILED: '/usr/sbin/iptables...

Checking iptables.service status shows it to be masked.

I realize that firewalld uses iptables, but should it
be enabled and started as a service?

Jon
-- 
Jon H. LaBadie j...@labadie.us
 11226 South Shore Rd.  (703) 787-0688 (H)
 Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-12-19 Thread Kenneth Porter 

On 12/19/2017 3:55 PM, Emmett Culley wrote:

That was the clue I needed.


I'm fighting a firewalld mystery myself, mostly a result of not really 
understanding the philosophy of the thing and trying to sleuth it out by 
black boxing it. But fortunately this is open source, so I'm also 
grepping the firewalld sources to figure out where these mysteries are 
coming from:


https://github.com/firewalld/firewalld

firewalld creates a lot of iptables/netfilter rules, which makes it hard 
to follow what's going on. I may cobble together a netfilter 
visualization tool that will take iptables-save and convert it into a 
graph in GraphViz dot file format to try to figure out what's going on. 
I found a Python program that seems like a partial attempt to create 
this, but it seems incomplete. The dot files lack connections between 
the chains so I just get a bunch of floating bubbles with chain names. 
The program assumes that uppercase chain names are terminal nodes, and 
firewalld loves to create chains with uppercase names.


https://github.com/larsks/dot-iptables

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-12-19 Thread Emmett Culley 
On 12/19/2017 03:37 PM, Louis Lagendijk wrote:
> On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
>> I have two VMs, both with firewalld installed.  One on machine It
>> this in the IN_public chain:
>>
>> Chain IN_public (2 references)
>>   pkts bytes target prot opt
>> in out source   destination
>> 81  3423 IN_public_log  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>> 81  3423 IN_public_deny  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>> 81  3423 IN_public_allow  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>> 79  3335 REJECT all
>> --  *  *   0.0.0.0/00.0.0.0/0reject-
>> with icmp-host-prohibited
>>
>> On the other I see:
>>
>> Chain IN_public (2 references)
>>   pkts bytes target prot opt
>> in out source   destination
>>101  4232 IN_public_log  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>>101  4232 IN_public_deny  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>>101  4232 IN_public_allow  all
>> --  *  *   0.0.0.0/00.0.0.0/0
>>  184 ACCEPT icmp
>> --  *  *   0.0.0.0/00.0.0.0/0
>>
>> As might be expected, pinging the first VM fails.  That is the ping
>> is rejected with:
>>
>> [emmett@ws1 ~]$ ping 96.92.106.4
>> PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
>>  From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
>>  From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
>>
>> And pinging the second works as expected.
>>
>> I've searche the firewalld configuration files in /usr/lib/firewalld
>> and /etc/firewalld and can find no reference to any icmp rule.  The
>> two machines were cloned originally from the same VM.  Why are they
>> different?
>>
>> How can I remove the reject-with icmp rule using firewalld.  I can
>> remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ]
>> 4" and I can then ping that machine.  But of course the rule is
>> returned whenever firewalld is restarted.
>>
>> Emmett
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> What is the output off:
> firewall-cmd --list-all
> on the VMs?
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
That was the clue I needed.  On the first machine:

  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ftp_passiv http ssh https ftps
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

And the second:

  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ftp_passiv http ssh https ftps
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Changing the target to "default"  instead of "%%REJECT%%" by setting the zone 
policy to default in firewalld-config fixed it.  NOt sure whay that would be, 
but I am happy with the result.

Thanks!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-12-19 Thread Louis Lagendijk 
On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote:
> I have two VMs, both with firewalld installed.  One on machine It
> this in the IN_public chain:
> 
> Chain IN_public (2 references)
>  pkts bytes target prot opt
> in out source   destination 
>81  3423 IN_public_log  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
>81  3423 IN_public_deny  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
>81  3423 IN_public_allow  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
>79  3335 REJECT all  
> --  *  *   0.0.0.0/00.0.0.0/0reject-
> with icmp-host-prohibited
> 
> On the other I see:
> 
> Chain IN_public (2 references)
>  pkts bytes target prot opt
> in out source   destination 
>   101  4232 IN_public_log  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
>   101  4232 IN_public_deny  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
>   101  4232 IN_public_allow  all  
> --  *  *   0.0.0.0/00.0.0.0/0   
> 184 ACCEPT icmp
> --  *  *   0.0.0.0/00.0.0.0/0   
> 
> As might be expected, pinging the first VM fails.  That is the ping
> is rejected with:
> 
> [emmett@ws1 ~]$ ping 96.92.106.4
> PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
> From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
> From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
> 
> And pinging the second works as expected.
> 
> I've searche the firewalld configuration files in /usr/lib/firewalld
> and /etc/firewalld and can find no reference to any icmp rule.  The
> two machines were cloned originally from the same VM.  Why are they
> different?
> 
> How can I remove the reject-with icmp rule using firewalld.  I can
> remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ]
> 4" and I can then ping that machine.  But of course the rule is
> returned whenever firewalld is restarted.
> 
> Emmett
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
What is the output off:
firewall-cmd --list-all
on the VMs?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld

2017-12-19 Thread Emmett Culley 
I have two VMs, both with firewalld installed.  One on machine It this in the 
IN_public chain:

Chain IN_public (2 references)
 pkts bytes target prot opt in out source   destination 

   81  3423 IN_public_log  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
   81  3423 IN_public_deny  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
   81  3423 IN_public_allow  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
   79  3335 REJECT all  --  *  *   0.0.0.0/00.0.0.0/0   
 reject-with icmp-host-prohibited

On the other I see:

Chain IN_public (2 references)
 pkts bytes target prot opt in out source   destination 

  101  4232 IN_public_log  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
  101  4232 IN_public_deny  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
  101  4232 IN_public_allow  all  --  *  *   0.0.0.0/0
0.0.0.0/0   
184 ACCEPT icmp --  *  *   0.0.0.0/00.0.0.0/0   


As might be expected, pinging the first VM fails.  That is the ping is rejected 
with:

[emmett@ws1 ~]$ ping 96.92.106.4
PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
>From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
>From 96.92.106.4 icmp_seq=2 Destination Host Prohibited

And pinging the second works as expected.

I've searche the firewalld configuration files in /usr/lib/firewalld and 
/etc/firewalld and can find no reference to any icmp rule.  The two machines 
were cloned originally from the same VM.  Why are they different?

How can I remove the reject-with icmp rule using firewalld.  I can remove it 
using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then 
ping that machine.  But of course the rule is returned whenever firewalld is 
restarted.

Emmett
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-30 Thread 望月忠雄 
Dear Alexander,

Thank you.

Tadao


2017-07-31 1:25 GMT+09:00 Alexander Dalloz :

> Am 30.07.2017 um 07:06 schrieb 望月忠雄:
>
>> Please teach me one more.
>> By 'firewall-cmd --list' its answer is following.
>>
>> external (active)
>>target: default
>>icmp-block-inversion: no
>>interfaces: eth0
>>sources:
>>services: dns ftp http https imaps pop3s smtp ssh
>>ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp
>> 8447/tcp
>> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
>> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
>>protocols:
>>masquerade: yes
>>forward-ports:
>>sourceports:
>>icmp-blocks:
>>rich rules:
>>
>> Now I can use http normally.
>> And 'ss -nat' shows 80 ports used.
>>
>> But in avobe firewalld lists, there's  http service, but isn't
>> 80/tcp.port.
>> Must I add 80/tcp.port?
>>
>> Tadao
>>
>
> Hi,
>
> you can define rule either by using services or ports. You have partly
> doubled that config by using both a service definition and a port
> definition. For instance service ssh and port 22/tcp. Same for smtp and
> port 25.
>
> You find the list of pre-defined services under
> /usr/lib/firewalld/services/.
>
> To give you an example. You can define
>
> # firewall-cmd --permanent --zone=public --add-service=http
>
> which enables port 80/tcp for the public zone. You can check how the
> service is defined by
>
> # firewall-cmd --info-service=http
>
> You could achieve the same port opening by issuing
>
> firewall-cmd --zone=public --add-port=80/tcp
>
> More or less a matter of taste how to define things. But you better avoid
> causing doubled rules.
>
> See your "iptables -L -n -v --line" output and you'll find multiple rules
> defined 2 times.
>
> Alexander
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-30 Thread Alexander Dalloz 

Am 30.07.2017 um 07:06 schrieb 望月忠雄:

Please teach me one more.
By 'firewall-cmd --list' its answer is following.

external (active)
   target: default
   icmp-block-inversion: no
   interfaces: eth0
   sources:
   services: dns ftp http https imaps pop3s smtp ssh
   ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
   protocols:
   masquerade: yes
   forward-ports:
   sourceports:
   icmp-blocks:
   rich rules:

Now I can use http normally.
And 'ss -nat' shows 80 ports used.

But in avobe firewalld lists, there's  http service, but isn't 80/tcp.port.
Must I add 80/tcp.port?

Tadao


Hi,

you can define rule either by using services or ports. You have partly 
doubled that config by using both a service definition and a port 
definition. For instance service ssh and port 22/tcp. Same for smtp and 
port 25.


You find the list of pre-defined services under 
/usr/lib/firewalld/services/.


To give you an example. You can define

# firewall-cmd --permanent --zone=public --add-service=http

which enables port 80/tcp for the public zone. You can check how the 
service is defined by


# firewall-cmd --info-service=http

You could achieve the same port opening by issuing

firewall-cmd --zone=public --add-port=80/tcp

More or less a matter of taste how to define things. But you better 
avoid causing doubled rules.


See your "iptables -L -n -v --line" output and you'll find multiple 
rules defined 2 times.


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-29 Thread 望月忠雄 
Dear Gordon Messmer,

Thank you.

Please teach me one more.
By 'firewall-cmd --list' its answer is following.

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dns ftp http https imaps pop3s smtp ssh
  ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

Now I can use http normally.
And 'ss -nat' shows 80 ports used.

But in avobe firewalld lists, there's  http service, but isn't 80/tcp.port.
Must I add 80/tcp.port?

Tadao



2017-07-28 11:29 GMT+09:00 Gordon Messmer :

> On 07/27/2017 06:36 PM, 望月忠雄 wrote:
>
>> But by ss -nat, IPV4 443 is not listend. How can I fix?
>>
>> # ss -nat | grep LISTEN | grep 443
>> LISTEN 0  128 :::443 :::*
>>
>
>
> By default, Linux processes that listen on an IPv6 port will also listen
> on the IPv4 port (when no specific address is specified):
>
> http://man7.org/linux/man-pages/man7/ipv6.7.html
>
> You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only,
> but your system is working normally now.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-27 Thread Gordon Messmer 

On 07/27/2017 06:36 PM, 望月忠雄 wrote:

But by ss -nat, IPV4 443 is not listend. How can I fix?

# ss -nat | grep LISTEN | grep 443
LISTEN 0  128 :::443 :::*



By default, Linux processes that listen on an IPv6 port will also listen 
on the IPv4 port (when no specific address is specified):


http://man7.org/linux/man-pages/man7/ipv6.7.html

You could change that behavior by modifying 
/proc/sys/net/ipv6/bindv6only, but your system is working normally now.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-27 Thread 望月忠雄 
Dear Jonathan,

Thank you.

Apache is running. And I can access by https(IPV4 443).
Please tell me which configuration I need to check.

Tadao


2017-07-28 10:52 GMT+09:00 Jonathan Billings :

> On Jul 27, 2017, at 9:36 PM, 望月忠雄  wrote:
> >
> > On CentOS7 I have following firewalld setting.
> >
> > external (active)
> >  target: default
> >  icmp-block-inversion: no
> >  interfaces: eth0
> >  sources:
> >  services: dns ftp http https imaps pop3s smtp ssh
> >  ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
> > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
> > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
> >  protocols:
> >  masquerade: yes
> >  forward-ports:
> >  sourceports:
> >  icmp-blocks:
> >  rich rules:
> >
> > But by ss -nat, IPV4 443 is not listend. How can I fix?
> >
> > # ss -nat | grep LISTEN | grep 443
> > LISTEN 0  128 :::443 :::*
>
> Just because the firewall is open doesn’t mean the process listening on
> port 443 has to be running.  It looks like your HTTPD server (I assume
> apache httpd?) isn’t listening on ipv4.  This is not a firewall problem,
> but a configuration problem for the web server.
>
> --
> Jonathan Billings 
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld and LISTEN

2017-07-27 Thread Jonathan Billings 
On Jul 27, 2017, at 9:36 PM, 望月忠雄  wrote:
> 
> On CentOS7 I have following firewalld setting.
> 
> external (active)
>  target: default
>  icmp-block-inversion: no
>  interfaces: eth0
>  sources:
>  services: dns ftp http https imaps pop3s smtp ssh
>  ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
>  protocols:
>  masquerade: yes
>  forward-ports:
>  sourceports:
>  icmp-blocks:
>  rich rules:
> 
> But by ss -nat, IPV4 443 is not listend. How can I fix?
> 
> # ss -nat | grep LISTEN | grep 443
> LISTEN 0  128 :::443 :::*

Just because the firewall is open doesn’t mean the process listening on port 
443 has to be running.  It looks like your HTTPD server (I assume apache 
httpd?) isn’t listening on ipv4.  This is not a firewall problem, but a 
configuration problem for the web server.

--
Jonathan Billings 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld and LISTEN

2017-07-27 Thread 望月忠雄 
On CentOS7 I have following firewalld setting.

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dns ftp http https imaps pop3s smtp ssh
  ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

But by ss -nat, IPV4 443 is not listend. How can I fix?

# ss -nat | grep LISTEN | grep 443
LISTEN 0  128 :::443 :::*

Tadao
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld: whitelisting/blacklisting addresses allowed to connect to a service/port with ipset

2017-07-05 Thread Kenneth Porter 
I'm trying to figure out how to use firewalld on CentOS 7 to block access 
to ssh (on a custom port to control log bloat) and smtp submission except 
for specific source addresses, using ipset. I haven't been able to figure 
out how to combine a port number or service name with an ipset, either as a 
blacklist of nets or a whitelist of addresses. It looks like ipset with 
type of "hash:net,port" might work but the current version of firewalld on 
C7 doesn't support that type. I fear I'm going to have to write a direct 
rule. Has anyone combined ipset with a port to achieve this? I tried a rich 
rule but I can't specify both an ipset and a port as the source value. 


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-31 Thread James Hogarth 
On 30 March 2017 at 19:47, Mark Milhollan  wrote:
> On Wed, 29 Mar 2017, Robert Moskowitz wrote:
>>On 03/29/2017 07:38 AM, Leon Fauster wrote:
>
>>>We have good results with http://www.shorewall.net/ an iptables
>>>"abstraction".
>>>Despite its not a GUI, the streamlined configuration helps to be effective.
>>
> >From what I can determine, it is still iptables.  Not firewalld.
>
> That's what Leon said, shorewall is an iptables abstraction, and
> iptables is a command that manipulates netfilter.
>
> FirewallD is similar in that it abstracts and simplifies using netfilter
> without using the iptables command.  Which has a GUI that can be used
> remotely but it is not web based as requested.  Fedora's CoPilot
> probably has a module for it, but I don't know that it can be used with
> a CentOS based server.  Webmin likely has a module for it by now.
>
>

Minor correction here ... firewalld is an iptables abstraction like
shorewall and it doesn't link into netfilter directly.

You can see that here:

https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/ipXtables.py
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-30 Thread Mark Milhollan 
On Wed, 29 Mar 2017, Robert Moskowitz wrote:
>On 03/29/2017 07:38 AM, Leon Fauster wrote:

>>We have good results with http://www.shorewall.net/ an iptables
>>"abstraction".
>>Despite its not a GUI, the streamlined configuration helps to be effective.
>
>From what I can determine, it is still iptables.  Not firewalld.

That's what Leon said, shorewall is an iptables abstraction, and 
iptables is a command that manipulates netfilter.

FirewallD is similar in that it abstracts and simplifies using netfilter 
without using the iptables command.  Which has a GUI that can be used 
remotely but it is not web based as requested.  Fedora's CoPilot 
probably has a module for it, but I don't know that it can be used with 
a CentOS based server.  Webmin likely has a module for it by now.


/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-29 Thread Robert Moskowitz 



On 03/29/2017 07:38 AM, Leon Fauster wrote:

Am 27.03.2017 um 21:03 schrieb Robert Moskowitz :

Is there an Apache tool to manage firewalld on a headless server?

I am looking forward to my next Centos project which is to replace my Juniper 
SSG5 firewall...

And along that line, what overlap, if any between firewalld and Suricata?


We have good results with http://www.shorewall.net/ an iptables "abstraction".
Despite its not a GUI, the streamlined configuration helps to be effective.


From what I can determine, it is still iptables.  Not firewalld.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-29 Thread Leon Fauster 
Am 27.03.2017 um 21:03 schrieb Robert Moskowitz :
> 
> Is there an Apache tool to manage firewalld on a headless server?
> 
> I am looking forward to my next Centos project which is to replace my Juniper 
> SSG5 firewall...
> 
> And along that line, what overlap, if any between firewalld and Suricata?


We have good results with http://www.shorewall.net/ an iptables "abstraction". 
Despite its not a GUI, the streamlined configuration helps to be effective.

--
LF




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-28 Thread m . roth 
James B. Byrne wrote:
>
> On Mon, March 27, 2017 17:31, m.r...@5-cent.us wrote:
>> Mike wrote:
>>> Nice catch, Mr. Schumacher --->  The following modules are included as
standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
Configure a Linux firewall using FirewallD, by editing allowed
services and ports.
>>>
>>> This is likely the right tool for the job.
>>>
>> Webmin used to be considered insecure, and people would scream and yell
if you suggested using it. Has that changed?
>
> Webmin is as insecure as the administrator cares to make it.
>
> Our host systems' Webmin instances listen on a reserved IP address
different from the host's DNS entry and that address is only reachable
through the host's firewall from specified IP addresses originating on
our internal LAN.  Further, Webmin is configured to automatically switch
to https and use a certificate generated by our corporate private CA.
Our gateway firewall blocks all access to the port
> assigned to Webmin.  One has to tunnel in to one of the pre-determined
host addresses to obtain remote access.
>
> A separate webmin logon is set in the webmin configuration which has no
existence on the host system.
>
> Webmin can also be configured to restrict the hours and day that asccess
is allowed to specific users but we have not bothered with that.
>
> The main known weakness is Webmin's dependency on passwords which for
all I know is due to my ignorance.  If Webmin does support RSA
> certificate authentication then I would love to be told where it is
configured.  However,failing that, very long phase phrases mitigate the
password issue somewhat. Further, Webmin does support two-factor
authentication using Google or Authy.
>
> To my knowledge there are no CVEs reported for Webmin since 2015 and I
believe that all known problems are resolved in the present release.
Which is not to say that there are no exploits left to be uncovered but
then again we can hardly claim that about any software.
>
Thanks for the extended response, James, esp. that last paragraph. I
hadn't been following webmin for a number of years - we don't use it here.
I did find and use it in a job I was in ten years ago - it was the only
way I could get LDAP working, as, at the time, the tools that came with
the package were *not* ready for prime time

 mark

PS: Tried reply, James, but it bounced.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-28 Thread James B. Byrne 

On Mon, March 27, 2017 17:31, m.r...@5-cent.us wrote:
> Mike wrote:
>> Nice catch, Mr. Schumacher --->  The following modules are included
>> as
>> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
>> Configure a Linux firewall using FirewallD, by editing allowed
>> services and ports.
>>
>> This is likely the right tool for the job.
>>
> Webmin used to be considered insecure, and people would scream and
> yell if you suggested using it. Has that changed?

Webmin is as insecure as the administrator cares to make it.

Our host systems' Webmin instances listen on a reserved IP address
different from the host's DNS entry and that address is only reachable
through the host's firewall from specified IP addresses originating on
our internal LAN.  Further, Webmin is configured to automatically
switch to https and use a certificate generated by our corporate
private CA. Our gateway firewall blocks all access to the port
assigned to Webmin.  One has to tunnel in to one of the pre-determined
host addresses to obtain remote access.

A separate webmin logon is set in the webmin configuration which has
no existence on the host system.

Webmin can also be configured to restrict the hours and day that
asccess is allowed to specific users but we have not bothered with
that.

The main known weakness is Webmin's dependency on passwords which for
all I know is due to my ignorance.  If Webmin does support RSA
certificate authentication then I would love to be told where it is
configured.  However,failing that, very long phase phrases mitigate
the password issue somewhat. Further, Webmin does support two-factor
authentication using Google or Authy.

To my knowledge there are no CVEs reported for Webmin since 2015 and I
believe that all known problems are resolved in the present release. 
Which is not to say that there are no exploits left to be uncovered
but then again we can hardly claim that about any software.


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-28 Thread Sorin Srbu 
> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce
> Sent: den 28 mars 2017 09:28
> To: centos@centos.org
> Subject: Re: [CentOS] firewalld management on a headless server
> 
> On 3/27/2017 10:20 PM, Sorin Srbu wrote:
> > That reminded me about Smoothwall I used to use a few years back.
> > Wasn't pfsense related to Smoothwall, maybe even a fork?
> 
> smoothwall is linux based.
> 
> m0n0wall was a BSD firewall that pfSense forked from back in 2004.

Ah, my mistake. Thanks for the heads up.

-- 
//Sorin
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-28 Thread John R Pierce 

On 3/27/2017 10:20 PM, Sorin Srbu wrote:

That reminded me about Smoothwall I used to use a few years back.
Wasn't pfsense related to Smoothwall, maybe even a fork?


smoothwall is linux based.

m0n0wall was a BSD firewall that pfSense forked from back in 2004.





--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-28 Thread Sorin Srbu 
> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Valeri
> Galtsev
> Sent: den 27 mars 2017 23:43
> To: CentOS mailing list <centos@centos.org>
> Subject: Re: [CentOS] firewalld management on a headless server
> 
> 
> On Mon, March 27, 2017 3:58 pm, Mike wrote:
> > I don't think it's going to give you a web-based firewall configuration
> > tool.
> 
> Firewall/router system I use is pfSense:
> 
> https://pfsense.org/
> 
> It has nice web interface for configuration of everything, based on
> FreeBSD (very slim, lightweight, small footprint). Has a lot what you may
> want to have in router box, including VPN,... If OP is not married to what
> he currently uses I would recommend to try pfSense.

That reminded me about Smoothwall I used to use a few years back.
Wasn't pfsense related to Smoothwall, maybe even a fork?

-- 
//Sorin

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Robert Moskowitz 



On 03/27/2017 09:23 PM, Mike wrote:

Webmin used to be considered insecure, and people would scream and yell if
you suggested using it. Has that changed?

   mark


Ahh, I did not know of this.
Well, I'm back to suggesting OP take a little time and get comfortable with
firewall-cmd in the terminal. If we want our solid redhat clone then
systemd, NetworkManager, and firewalld are soldered into the foreseeable
future.



I am a bit familiar with firewall-cmd, but need to learn more.  But I am 
looking out to other functions and management.  I am looking at 
multi-function devices and such.  So I would like something beyond cli 
for the interface.


Wild thought.  a php-firewall package with the policy in MariaDB  :)

Then I can tie it into RESTCOMF and I2NSF.  Got to talk to some people 
here at IETF tomorrow...


But I will look again at webmin.  Use to use it a lot.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Mike 
Webmin used to be considered insecure, and people would scream and yell if
you suggested using it. Has that changed?

  mark


Ahh, I did not know of this.
Well, I'm back to suggesting OP take a little time and get comfortable with
firewall-cmd in the terminal. If we want our solid redhat clone then
systemd, NetworkManager, and firewalld are soldered into the foreseeable
future.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Ned Slider 

On 27/03/17 22:43, Valeri Galtsev wrote:


On Mon, March 27, 2017 3:58 pm, Mike wrote:

I don't think it's going to give you a web-based firewall configuration
tool.


Firewall/router system I use is pfSense:

https://pfsense.org/

It has nice web interface for configuration of everything, based on
FreeBSD (very slim, lightweight, small footprint). Has a lot what you may
want to have in router box, including VPN,... If OP is not married to what
he currently uses I would recommend to try pfSense.

Good luck!

Valeri



Or just buy a dedicated router/firewall box. The Ubiquiti EdgeRouter 
Lite 3 is a true gigabit router/firewall that runs iptables and has a 
very nice web interface, all for under $100. Also highly recommended.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Gordon Messmer 

On 03/27/2017 02:31 PM, m.r...@5-cent.us wrote:

Has that changed?



That answer is probably subjective.  I'll probably never trust it, but 
the number of recent known critical exploits isn't as high as it used to be:


https://www.cvedetails.com/vulnerability-list/vendor_id-358/Webmin.html

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Valeri Galtsev 

On Mon, March 27, 2017 3:58 pm, Mike wrote:
> I don't think it's going to give you a web-based firewall configuration
> tool.

Firewall/router system I use is pfSense:

https://pfsense.org/

It has nice web interface for configuration of everything, based on
FreeBSD (very slim, lightweight, small footprint). Has a lot what you may
want to have in router box, including VPN,... If OP is not married to what
he currently uses I would recommend to try pfSense.

Good luck!

Valeri

> It does allow you to control/configure networking hardware and devices
> via NetworkManager, but I don't believe it goes further than that for
> networking.
> Ironically, it does provide a an ssh-like session terminal where you
> can get directly logged in and use firewall-cmd.  :-)
> http://cockpit-project.org/guide/latest/feature-terminal.html
>
> On Mon, Mar 27, 2017 at 4:46 PM, Robert Moskowitz 
> wrote:
>>
>>
>> On 03/27/2017 03:24 PM, Mike wrote:
>>>
>>> I recently converted my employer's firewall from pure iptabes to
>>> firewalld and looked for something similar, more along the lines of
>>> webmin, etc.
>>> I didn't find anything close to a match.
>>> In the end, it all came down to getting comfortable with
>>> "firewall-cmd" in the shell.
>>
>>
>> I have been digging and found that Fedora includes Cockpit, but I don't
>> know
>> all it supports.  Probably should ask over on Fedora list...
>>
>>
>>>
>>> Haven't used suricata, so nothing to add there.
>>>
>>>
>>>
>>> On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz 
>>> wrote:

 Is there an Apache tool to manage firewalld on a headless server?

 I am looking forward to my next Centos project which is to replace my
 Juniper SSG5 firewall...

 And along that line, what overlap, if any between firewalld and
 Suricata?

 thank you

 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread m . roth 
Mike wrote:
> Nice catch, Mr. Schumacher --->  The following modules are included as
> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
> Configure a Linux firewall using FirewallD, by editing allowed
> services and ports.
>
> This is likely the right tool for the job.
>
Webmin used to be considered insecure, and people would scream and yell if
you suggested using it. Has that changed?

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Mike 
yum (CentOS/RedHat/Fedora)

By adding the Webmin repository and Jamie Cameron's key, it is
possible to install & maintain the latest Webmin/Usermin versions.

The following will install the latest Webmin version by adding the
webmin-repo and corresponding GPG key. Yum will resolve all the
necessary dependancies.

Just Cut the entire text below and hit enter/return:

(echo "[Webmin]
name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1
gpgcheck=1
gpgkey=http://www.webmin.com/jcameron-key.asc; >/etc/yum.repos.d/webmin.repo;
yum -y install webmin)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Mike 
Nice catch, Mr. Schumacher --->  The following modules are included as
standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz
Configure a Linux firewall using FirewallD, by editing allowed
services and ports.

This is likely the right tool for the job.

On Mon, Mar 27, 2017 at 5:00 PM, Michael Schumacher
 wrote:
> Hi,
>
>> I recently converted my employer's firewall from pure iptabes to
>> firewalld and looked for something similar, more along the lines of
>> webmin, etc.
>
> funny,
> my webmin installation on a banana-pi has webmin 1.831, which has
> support for firewalld.
>
> I am not sure, but I believe I got it directly from www.webmin.com.
>
> best regards
> ---
> Michael Schumacher
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Michael Schumacher 
Hi,

> I recently converted my employer's firewall from pure iptabes to
> firewalld and looked for something similar, more along the lines of
> webmin, etc.

funny,
my webmin installation on a banana-pi has webmin 1.831, which has
support for firewalld.

I am not sure, but I believe I got it directly from www.webmin.com.

best regards
---
Michael Schumacher

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Mike 
I don't think it's going to give you a web-based firewall configuration tool.
It does allow you to control/configure networking hardware and devices
via NetworkManager, but I don't believe it goes further than that for
networking.
Ironically, it does provide a an ssh-like session terminal where you
can get directly logged in and use firewall-cmd.  :-)
http://cockpit-project.org/guide/latest/feature-terminal.html

On Mon, Mar 27, 2017 at 4:46 PM, Robert Moskowitz  wrote:
>
>
> On 03/27/2017 03:24 PM, Mike wrote:
>>
>> I recently converted my employer's firewall from pure iptabes to
>> firewalld and looked for something similar, more along the lines of
>> webmin, etc.
>> I didn't find anything close to a match.
>> In the end, it all came down to getting comfortable with
>> "firewall-cmd" in the shell.
>
>
> I have been digging and found that Fedora includes Cockpit, but I don't know
> all it supports.  Probably should ask over on Fedora list...
>
>
>>
>> Haven't used suricata, so nothing to add there.
>>
>>
>>
>> On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz 
>> wrote:
>>>
>>> Is there an Apache tool to manage firewalld on a headless server?
>>>
>>> I am looking forward to my next Centos project which is to replace my
>>> Juniper SSG5 firewall...
>>>
>>> And along that line, what overlap, if any between firewalld and Suricata?
>>>
>>> thank you
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Robert Moskowitz 



On 03/27/2017 03:24 PM, Mike wrote:

I recently converted my employer's firewall from pure iptabes to
firewalld and looked for something similar, more along the lines of
webmin, etc.
I didn't find anything close to a match.
In the end, it all came down to getting comfortable with
"firewall-cmd" in the shell.


I have been digging and found that Fedora includes Cockpit, but I don't 
know all it supports.  Probably should ask over on Fedora list...




Haven't used suricata, so nothing to add there.



On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz  wrote:

Is there an Apache tool to manage firewalld on a headless server?

I am looking forward to my next Centos project which is to replace my
Juniper SSG5 firewall...

And along that line, what overlap, if any between firewalld and Suricata?

thank you

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-27 Thread Mike 
I recently converted my employer's firewall from pure iptabes to
firewalld and looked for something similar, more along the lines of
webmin, etc.
I didn't find anything close to a match.
In the end, it all came down to getting comfortable with
"firewall-cmd" in the shell.

Haven't used suricata, so nothing to add there.



On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz  wrote:
> Is there an Apache tool to manage firewalld on a headless server?
>
> I am looking forward to my next Centos project which is to replace my
> Juniper SSG5 firewall...
>
> And along that line, what overlap, if any between firewalld and Suricata?
>
> thank you
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld management on a headless server

2017-03-27 Thread Robert Moskowitz 

Is there an Apache tool to manage firewalld on a headless server?

I am looking forward to my next Centos project which is to replace my 
Juniper SSG5 firewall...


And along that line, what overlap, if any between firewalld and Suricata?

thank you

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Pete Biggs
> Sent: Sunday, January 29, 2017 8:27 PM
> To: centos@centos.org
> Subject: Re: [CentOS] firewalld
> 
> 
> > Last login attempt from roundcube
> >
> > Jan 29 16:38:08 ts130 dovecot: imap-login: Login: user=,
> > method=PLAIN, rip=::1, lip=::1, mpid=2076, secured,
> > session=
> > Jan 29 16:38:08 ts130 dovecot: imap(tdukes): Error: user tdukes:
> > Initialization failed: Namespace '': Mail storage autodetection failed
> > with home=/home/tdukes Jan 29 16:38:08 ts130 dovecot: imap(tdukes):
> > Error: Invalid user settings.
> > Refer to server log for more information.
> 
> It's a dovecot configuration error. The login has clearly worked, so stop
> fussing with the firewall.
> 
> You need to look in /etc/dovecot/conf.d/10-mail.conf and set 'mail_location'
> to where the user's email is stored. If you are using Maildir then it will
> probably be
> 
>   mail_location =  maildir:~/Maildir
> 
> if mbox, then probably
> 
>   mail_location = mbox:~/mail:INBOX=/var/mail/%u
> 
> but adjust the paths to where things are actually stored.
> 
> You will, obviously, have to set your MTA to deliver the mail to the correct
> location and in the correct format as well.
> 

Thank you!!

Its working now! Never had to do that before, everything always worked out of 
the box.

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# 
#
mail_location = maildir:~/Maildir  <<<<<-- this!!

Really appreciate the help!!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread Pete Biggs 

> Last login attempt from roundcube
> 
> Jan 29 16:38:08 ts130 dovecot: imap-login: Login: user=,
> method=PLAIN, rip=::1, lip=::1, mpid=2076, secured,
> session=
> Jan 29 16:38:08 ts130 dovecot: imap(tdukes): Error: user tdukes:
> Initialization failed: Namespace '': Mail storage autodetection failed with
> home=/home/tdukes
> Jan 29 16:38:08 ts130 dovecot: imap(tdukes): Error: Invalid user settings.
> Refer to server log for more information.

It's a dovecot configuration error. The login has clearly worked, so
stop fussing with the firewall.

You need to look in /etc/dovecot/conf.d/10-mail.conf and set
'mail_location' to where the user's email is stored. If you are using
Maildir then it will probably be 

  mail_location =  maildir:~/Maildir

if mbox, then probably

  mail_location = mbox:~/mail:INBOX=/var/mail/%u

but adjust the paths to where things are actually stored.

You will, obviously, have to set your MTA to deliver the mail to the
correct location and in the correct format as well.

P.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Fred Smith
> Sent: Sunday, January 29, 2017 7:07 PM
> To: centos@centos.org
> Subject: Re: [CentOS] firewalld
> 
> On Sun, Jan 29, 2017 at 04:54:02PM -0500, TE Dukes wrote:
> > Still un-resolved.  Could be wrong but I think its firewalld
> > preventing me from accessing mail with roundcube.
> 
> as someone else already suggested, did you turn selinux off temporarily
> "setenforce 0" to see if it still fails?
> 
> I've had several problems lately where that simple step revealed selinux
as
> the cause, not firewall.
> 
> Fred
> 

Yes, selinux has been disabled. 

Sorry I didn't mention that.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon
> Messmer
> Sent: Sunday, January 29, 2017 6:56 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] firewalld
> 
> On 01/29/2017 01:54 PM, TE Dukes wrote:
> > I telnet to localhost 143 or 993  and I can connect, telneting to 25
> > or 465, connection refused.
> 
> 
> As I mentioned before: firewalld allows all traffic to localhost.  If
you're
> getting connection refused, then those services aren't running.
> 
> As for dealing with login denied errors, you should be looking at the IMAP
> server's logs, not the HTTP server's.

Here's the excerpts from maillog:

Jan 29 13:52:28 ts130 MailScanner[3941]: MailScanner Email Processor version
5.0.3 starting...
Jan 29 13:52:28 ts130 logger[3944]: MailScanner started
Jan 29 13:52:28 ts130 MailScanner[3941]: Reading configuration file
/etc/MailScanner/MailScanner.conf
Jan 29 13:52:28 ts130 MailScanner[3941]: Reading configuration file
/etc/MailScanner/conf.d/README
Jan 29 13:52:28 ts130 MailScanner[3941]: Read 1501 hostnames from the
phishing whitelist
Jan 29 13:52:28 ts130 MailScanner[3941]: Read 12749 hostnames from the
phishing blacklists
Jan 29 13:52:28 ts130 MailScanner[3941]: Using SpamAssassin results cache
Jan 29 13:52:28 ts130 MailScanner[3941]: Connected to SpamAssassin cache
database
Jan 29 13:52:28 ts130 MailScanner[3941]: Enabling SpamAssassin
auto-whitelist functionality...
Jan 29 13:52:33 ts130 MailScanner[4235]: MailScanner Email Processor version
5.0.3 starting...
Jan 29 13:52:33 ts130 MailScanner[4235]: Reading configuration file
/etc/MailScanner/MailScanner.conf
Jan 29 13:52:33 ts130 MailScanner[4235]: Reading configuration file
/etc/MailScanner/conf.d/README
Jan 29 13:52:33 ts130 MailScanner[4235]: Read 1501 hostnames from the
phishing whitelist
Jan 29 13:52:33 ts130 MailScanner[4235]: Read 12749 hostnames from the
phishing blacklists
Jan 29 13:52:33 ts130 MailScanner[4235]: Using SpamAssassin results cache
Jan 29 13:52:33 ts130 MailScanner[4235]: Connected to SpamAssassin cache
database
Jan 29 13:52:33 ts130 MailScanner[4235]: Enabling SpamAssassin
auto-whitelist functionality...
Jan 29 13:52:38 ts130 MailScanner[4363]: MailScanner Email Processor version
5.0.3 starting...
Jan 29 13:52:38 ts130 MailScanner[4363]: Reading configuration file
/etc/MailScanner/MailScanner.conf
Jan 29 13:52:38 ts130 MailScanner[4363]: Reading configuration file
/etc/MailScanner/conf.d/README
Jan 29 13:52:38 ts130 MailScanner[4363]: Read 1501 hostnames from the
phishing whitelist
Jan 29 13:52:38 ts130 MailScanner[4363]: Read 12749 hostnames from the
phishing blacklists
Jan 29 13:52:38 ts130 MailScanner[4363]: Using SpamAssassin results cache
Jan 29 13:52:38 ts130 MailScanner[4363]: Connected to SpamAssassin cache
database
Jan 29 13:52:38 ts130 MailScanner[4363]: Enabling SpamAssassin
auto-whitelist functionality...
Jan 29 13:52:43 ts130 MailScanner[4459]: MailScanner Email Processor version
5.0.3 starting...
Jan 29 13:52:43 ts130 MailScanner[4459]: Reading configuration file
/etc/MailScanner/MailScanner.conf
Jan 29 13:52:43 ts130 MailScanner[4459]: Reading configuration file
/etc/MailScanner/conf.d/README
Jan 29 13:52:43 ts130 MailScanner[4459]: Read 1501 hostnames from the
phishing whitelist
Jan 29 13:52:43 ts130 MailScanner[4459]: Read 12749 hostnames from the
phishing blacklists
Jan 29 13:52:43 ts130 MailScanner[4459]: Using SpamAssassin results cache
Jan 29 13:52:43 ts130 MailScanner[4459]: Connected to SpamAssassin cache
database
Jan 29 13:52:43 ts130 MailScanner[4459]: Enabling SpamAssassin
auto-whitelist functionality...
Jan 29 13:52:48 ts130 MailScanner[4528]: MailScanner Email Processor version
5.0.3 starting...
Jan 29 13:52:48 ts130 MailScanner[4528]: Reading configuration file
/etc/MailScanner/MailScanner.conf
Jan 29 13:52:48 ts130 MailScanner[4528]: Reading configuration file
/etc/MailScanner/conf.d/README
Jan 29 13:52:48 ts130 MailScanner[4528]: Read 1501 hostnames from the
phishing whitelist
Jan 29 13:52:48 ts130 MailScanner[4528]: Read 12749 hostnames from the
phishing blacklists
Jan 29 13:52:48 ts130 MailScanner[4528]: Using SpamAssassin results cache
Jan 29 13:52:48 ts130 MailScanner[4528]: Connected to SpamAssassin cache
database
Jan 29 13:52:48 ts130 MailScanner[4528]: Enabling SpamAssassin
auto-whitelist functionality...
Jan 29 13:53:03 ts130 MailScanner[4235]: Auto: Found virus scanners:
clamavmodule
Jan 29 13:53:03 ts130 MailScanner[3941]: Auto: Found virus scanners:
clamavmodule
Jan 29 13:53:05 ts130 MailScanner[4363]: Auto: Found virus scanners:
clamavmodule
Jan 29 13:53:05 ts130 MailScanner[4459]: Auto: Found virus scanners:
clamavmodule
Jan 29 13:53:11 ts130 MailScanner[4528]: Auto: Found virus scanners:
clamavmodule
Jan 29 13:53:17 ts130 MailScanner[4459]: Connected to Processing Attempts
Database
Jan 29 13:53:17 ts130 MailScanner[4459]: Found 0 messages in the Processing
Attempt

Re: [CentOS] firewalld

2017-01-29 Thread Fred Smith 
On Sun, Jan 29, 2017 at 04:54:02PM -0500, TE Dukes wrote:
> Still un-resolved.  Could be wrong but I think its firewalld preventing me
> from accessing mail with roundcube.

as someone else already suggested, did you turn selinux off temporarily
"setenforce 0" to see if it still fails?

I've had several problems lately where that simple step revealed
selinux as the cause, not firewall.

Fred

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
"Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of
 heaven, but only he who does the will of my Father who is in heaven."
-- Matthew 7:21 (niv) -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread Gordon Messmer 

On 01/29/2017 01:54 PM, TE Dukes wrote:

I telnet to localhost 143 or 993  and I can connect, telneting to 25 or 465,
connection refused.



As I mentioned before: firewalld allows all traffic to localhost.  If 
you're getting connection refused, then those services aren't running.


As for dealing with login denied errors, you should be looking at the 
IMAP server's logs, not the HTTP server's.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-29 Thread TE Dukes 
Still un-resolved.  Could be wrong but I think its firewalld preventing me
from accessing mail with roundcube.

I'm getting Connection to storage server failed.
>From roundcubemail log: 

[29-Jan-2017 16:45:05 -0500]: <4r5ccifn> IMAP Error: Login failed for tdukes
from 192.168.1.102. AUTHENTICATE PLAIN: * BYE Internal error occurred. Refer
to server log for more information. in
/usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197
(POST /?_task=login?_task=login&_action=login)

There is absolutely nothing in the httpd logs.

I telnet to localhost 143 or 993  and I can connect, telneting to 25 or 465,
connection refused.

Clearly, below, those services and ports are open as well as mysql.

Ouput from:  firewall-cmd --list-all-zones

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh urbackup-server
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0 lo
  sources: 
  services: dhcp dhcpv6 dhcpv6-client dns ftp http https imap imaps mdns
mysql openvpn pop3 pop3s rsyncd samba samba-client smtp smtps ssh
transmission-client urbackup-server
  ports: 465/tcp 2/tcp 25/tcp 1/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh urbackup-server
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dhcpv6-client dns ftp http https imap imaps mysql
ntp openvpn pop3 pop3s rsyncd samba samba-client smtp smtps ssh
transmission-client urbackup-server
  ports: 465/tcp 2/tcp 25/tcp 1/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources: 
  services: dhcp dhcpv6-client dns ftp http https imap imaps mysql pop3
pop3s rsyncd samba samba-client smtp smtps ssh transmission-client
urbackup-server
  ports: 465/tcp 2/tcp 25/tcp 1/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


eno1 is on the public zone, lo is on the internal zone

I can read mail with mutt and usermin.

What am I missing?

TIA

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread John R Pierce 

On 1/27/2017 6:01 PM, TE Dukes wrote:

I can't figure out all these zones. I opened imap, imaps, pop3, pop3s, smtp,
smtps in zones internal, trusted and public.

I still get connection refused.

I telnet localhost 143, I get connection refused.


the firewall is more likely to give you connection timed out as it 
genereally drops rather than rejects the connectiosn.


connection refused often means nothing is actually listening on that 
port,   143/tcp being IMAP.   you sure the imap service is running?



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread TE Dukes 


-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James Hogarth
Sent: Saturday, January 28, 2017 10:43 AM
To: CentOS mailing list
Subject: Re: [CentOS] firewalld

On 28 January 2017 at 13:44, Mike McCarthy, W1NR <sy...@w1nr.net> wrote:
> firewalld isn't the only thing that will prevent services from 
> accessing the internet. I found that I needed to do a relabel before 
> postfix could access DNS and I have seen other issues as well. Have 
> you tried disabling the firewall to see if you can get connections to 
> work? Then try to disable SElinux and see if that works.
>
> # netstat --inet -l -n
>
> Is the service listening on port 143?
>


Just a side note here, since EL7 removed net-tools from the default install
(after all it has been deprecated for about a decade now) you probably
should get used to providing advice using the iproute2 suite instead.

In this case `ss -tlnp` to list all tcp ports in a listening state, showing
the pid using the port and not resolving the ports to friendly names.

For an example of why this is important think about using pacemaker or
keepalived to manage IPs migrating between systems. They won't be visible
using ifconfig but only via ip as they aren't exposed in the kernel
structures that ifconfig uses -
https://www.hogarthuk.com/?q=node/6

Another example is when you have multiple interfaces and you have source
policy routing (or similar advanced routing behaviour) that makes use of
rules and multiple routing tables. The older route command is only capable
of displaying the default main table, not the rest of the tables in use, but
`ip route show table all` will give you all the routing tables in use on
your system (even in a default install it's a lot more than the route
command shows) and ip rule gives you the rules in use, if any.

On a similar note bridge-utils is also deprecated, though brctl is ingrained
into many minds!

https://fedoramagazine.org/build-network-bridge-fedora/

Thanks for the info. I'll take a look at it.

Again, thanks!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread James Hogarth 
On 28 January 2017 at 13:44, Mike McCarthy, W1NR  wrote:
> firewalld isn't the only thing that will prevent services from accessing
> the internet. I found that I needed to do a relabel before postfix could
> access DNS and I have seen other issues as well. Have you tried
> disabling the firewall to see if you can get connections to work? Then
> try to disable SElinux and see if that works.
>
> # netstat --inet -l -n
>
> Is the service listening on port 143?
>


Just a side note here, since EL7 removed net-tools from the default
install (after all it has been deprecated for about a decade now) you
probably should get used to providing advice using the iproute2 suite
instead.

In this case `ss -tlnp` to list all tcp ports in a listening state,
showing the pid using the port and not resolving the ports to friendly
names.

For an example of why this is important think about using pacemaker or
keepalived to manage IPs migrating between systems. They won't be
visible using ifconfig but only via ip as they aren't exposed in the
kernel structures that ifconfig uses -
https://www.hogarthuk.com/?q=node/6

Another example is when you have multiple interfaces and you have
source policy routing (or similar advanced routing behaviour) that
makes use of rules and multiple routing tables. The older route
command is only capable of displaying the default main table, not the
rest of the tables in use, but `ip route show table all` will give you
all the routing tables in use on your system (even in a default
install it's a lot more than the route command shows) and ip rule
gives you the rules in use, if any.

On a similar note bridge-utils is also deprecated, though brctl is
ingrained into many minds!

https://fedoramagazine.org/build-network-bridge-fedora/
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread James Hogarth 
On 28 January 2017 at 12:01, TE Dukes <tdu...@palmettoshopper.com> wrote:
>
>
>> -Original Message-
>> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James
>> Hogarth
>> Sent: Saturday, January 28, 2017 4:18 AM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] firewalld
>>
>> On 28 Jan 2017 3:02 am, "TE Dukes" <tdu...@palmettoshopper.com> wrote:
>>
>>
>>
>> > -Original Message-
>> > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon
>> > Messmer
>> > Sent: Friday, January 27, 2017 9:23 PM
>> > To: CentOS mailing list
>> > Subject: Re: [CentOS] firewalld
>> >
>> > On 01/27/2017 06:01 PM, TE Dukes wrote:
>> > > I telnet localhost 143, I get connection refused.
>> > >
>> > > What zone is used for the local network and what zone is used for
>> > > outside access?
>> >
>> > All traffic from localhost is allowed.  No zone is involved.
>> >
>> > The zone for "outside" access depends on which interface receives the
>> > packet, and what zone you've put that interface in.  I believe that
>> defaults to
>> > "public."
>>
>>  I'm telneting in from ssh on a machine on the local network, still
> getting
>> connection refused.
>>
>> The zone apparently means something because an interface can only be on
>> one.
>> Moving it to a different zone results in the same error (same
> services/ports
>> opened in each zone).
>>
>> I may as well disable firewalld and let my router handle the firewall.
>>
>> I don't plan to use my server as a workstation.
>>
>>
>> Have a read through this and then decide on if you want to use it or not.
>>
>> You can also switch to iptables-service and mask firewalld if you want the
>> same behaviour as in C6.
>>
>> 7.3 also has nftables as a tech preview, but I've not finished my article
> on that
>> yet.
>
> I saw something about that somewhere.
>
> Did you forget a link?
>
> Thanks
>

Oops you're right I did ...

https://www.hogarthuk.com/?q=node/9
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread TE Dukes 


-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Mike McCarthy,
W1NR
Sent: Saturday, January 28, 2017 8:45 AM
To: CentOS mailing list
Subject: Re: [CentOS] firewalld

firewalld isn't the only thing that will prevent services from accessing the
internet. I found that I needed to do a relabel before postfix could access
DNS and I have seen other issues as well. Have you tried disabling the
firewall to see if you can get connections to work? Then try to disable
SElinux and see if that works.

# netstat --inet -l -n

Is the service listening on port 143?

# systemctl stop firewalld

Does it now work?

# setenforce 0

Does it now work?

Once you establish what's biting you then you can fix it. To force a relabel
do

# touch /.autorelabel

# reboot

Mike

I have dovecot answering now. I can read mail using Mutt.

I think I have problems with mysql/mariadb using roundcube. It may be I need
to open ports for mariadb as well.

Thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread Mike McCarthy, W1NR 
firewalld isn't the only thing that will prevent services from accessing
the internet. I found that I needed to do a relabel before postfix could
access DNS and I have seen other issues as well. Have you tried
disabling the firewall to see if you can get connections to work? Then
try to disable SElinux and see if that works.

# netstat --inet -l -n

Is the service listening on port 143?

# systemctl stop firewalld

Does it now work?

# setenforce 0

Does it now work?

Once you establish what's biting you then you can fix it. To force a
relabel do

# touch /.autorelabel

# reboot

Mike

On 01/28/2017 07:11 AM, TE Dukes wrote:
>
>> -Original Message-
>> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Pete Biggs
>> Sent: Saturday, January 28, 2017 6:02 AM
>> To: centos@centos.org
>> Subject: Re: [CentOS] firewalld
>>
>>
>>> The zone apparently means something because an interface can only be on
>> one.
>>> Moving it to a different zone results in the same error (same
>>> services/ports opened in each zone).
>> The "zones" are just labels and are used to create kernel iptables.
>> Each zone has a default set of open and closed ports ranging from "trusted"
>> which accepts all packets to "public" which has everything closed. You can
>> modify the allowed ports and services on each zone at will.
>>
>> Some of the zones have "special" features - "block" rejects all packets,
>> "drop" drops all packets, "external" has masquerading turned on and so on.
>>
>> If you have a single network, then that interface will, by default, be put 
>> in the
>> "public" zone, so most ports will be closed. That's fine, just leave it in 
>> that
>> zone, it's just a label/container.
>>
>> You can list the services open in the default zone by doing
>>
>>   firewall-cmd --list-services
>>
>> or for ports not services
>>
>>   firewall-cmd --list-ports
>>
>> or for a different zone
>>
>>   firewall-cmd --zone=public --list-services
>>
>> You can also find out which zones your interface(s) is in with
>>
>>   firewall-cmd --get-active-zones
>>
>> One of the gotchas with firewalld is that the changes are made in either the
>> current running iptables *or* the stored rules, not both. So if you make a
>> change to the running rule set, those changes won't be kept the next time
>> you restart firewalld. You can either use the '
>> --permanent' flag to set the stored rules (but it won't affect the active 
>> rules)
>> or the '--runtime-to-permanent' flag to copy the current active rules to the
>> stored ones.
>>
>> The bottom line is that firewalld is just another application that 
>> manipulates
>> the kernel packet routing tables. Use something else if you prefer it - some
>> of the system tools assume firewalld, but if you are aware of what's
>> happening it shouldn't be an issue.
>>
>>> I may as well disable firewalld and let my router handle the firewall.
>>>
>> If you are happy that there is nothing behind your firewall that could cause 
>> a
>> problem then that's an acceptable route.
>>
>> P.
> Thanks,
>
> That's a better explanation of things than I have read so far.
>
> Yes, initially I wasn't adding the --permanent to the rules but I wasn't 
> doing really any reboots.
>
> I did a few --reloads so that may have gotten me.
>
> I have zoneminder, dns, and  urbackup  working. I can ssh and scp in from 
> work but mail is being a pain.
>
> Thanks
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Pete Biggs
> Sent: Saturday, January 28, 2017 6:02 AM
> To: centos@centos.org
> Subject: Re: [CentOS] firewalld
> 
> 
> >
> > The zone apparently means something because an interface can only be on
> one.
> > Moving it to a different zone results in the same error (same
> > services/ports opened in each zone).
> 
> The "zones" are just labels and are used to create kernel iptables.
> Each zone has a default set of open and closed ports ranging from "trusted"
> which accepts all packets to "public" which has everything closed. You can
> modify the allowed ports and services on each zone at will.
> 
> Some of the zones have "special" features - "block" rejects all packets,
> "drop" drops all packets, "external" has masquerading turned on and so on.
> 
> If you have a single network, then that interface will, by default, be put in 
> the
> "public" zone, so most ports will be closed. That's fine, just leave it in 
> that
> zone, it's just a label/container.
> 
> You can list the services open in the default zone by doing
> 
>   firewall-cmd --list-services
> 
> or for ports not services
> 
>   firewall-cmd --list-ports
> 
> or for a different zone
> 
>   firewall-cmd --zone=public --list-services
> 
> You can also find out which zones your interface(s) is in with
> 
>   firewall-cmd --get-active-zones
> 
> One of the gotchas with firewalld is that the changes are made in either the
> current running iptables *or* the stored rules, not both. So if you make a
> change to the running rule set, those changes won't be kept the next time
> you restart firewalld. You can either use the '
> --permanent' flag to set the stored rules (but it won't affect the active 
> rules)
> or the '--runtime-to-permanent' flag to copy the current active rules to the
> stored ones.
> 
> The bottom line is that firewalld is just another application that manipulates
> the kernel packet routing tables. Use something else if you prefer it - some
> of the system tools assume firewalld, but if you are aware of what's
> happening it shouldn't be an issue.
> 
> >
> > I may as well disable firewalld and let my router handle the firewall.
> >
> If you are happy that there is nothing behind your firewall that could cause a
> problem then that's an acceptable route.
> 
> P.
Thanks,

That's a better explanation of things than I have read so far.

Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing 
really any reboots.

I did a few --reloads so that may have gotten me.

I have zoneminder, dns, and  urbackup  working. I can ssh and scp in from work 
but mail is being a pain.

Thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James
> Hogarth
> Sent: Saturday, January 28, 2017 4:18 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] firewalld
> 
> On 28 Jan 2017 3:02 am, "TE Dukes" <tdu...@palmettoshopper.com> wrote:
> 
> 
> 
> > -Original Message-
> > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon
> > Messmer
> > Sent: Friday, January 27, 2017 9:23 PM
> > To: CentOS mailing list
> > Subject: Re: [CentOS] firewalld
> >
> > On 01/27/2017 06:01 PM, TE Dukes wrote:
> > > I telnet localhost 143, I get connection refused.
> > >
> > > What zone is used for the local network and what zone is used for
> > > outside access?
> >
> > All traffic from localhost is allowed.  No zone is involved.
> >
> > The zone for "outside" access depends on which interface receives the
> > packet, and what zone you've put that interface in.  I believe that
> defaults to
> > "public."
> 
>  I'm telneting in from ssh on a machine on the local network, still
getting
> connection refused.
> 
> The zone apparently means something because an interface can only be on
> one.
> Moving it to a different zone results in the same error (same
services/ports
> opened in each zone).
> 
> I may as well disable firewalld and let my router handle the firewall.
> 
> I don't plan to use my server as a workstation.
> 
> 
> Have a read through this and then decide on if you want to use it or not.
> 
> You can also switch to iptables-service and mask firewalld if you want the
> same behaviour as in C6.
> 
> 7.3 also has nftables as a tech preview, but I've not finished my article
on that
> yet.

I saw something about that somewhere.

Did you forget a link?

Thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread Pete Biggs 

> 
> The zone apparently means something because an interface can only be on one.
> Moving it to a different zone results in the same error (same services/ports
> opened in each zone).

The "zones" are just labels and are used to create kernel iptables.
Each zone has a default set of open and closed ports ranging from
"trusted" which accepts all packets to "public" which has everything
closed. You can modify the allowed ports and services on each zone at
will.

Some of the zones have "special" features - "block" rejects all
packets, "drop" drops all packets, "external" has masquerading turned
on and so on.

If you have a single network, then that interface will, by default, be
put in the "public" zone, so most ports will be closed. That's fine,
just leave it in that zone, it's just a label/container.

You can list the services open in the default zone by doing 

  firewall-cmd --list-services

or for ports not services

  firewall-cmd --list-ports

or for a different zone

  firewall-cmd --zone=public --list-services

You can also find out which zones your interface(s) is in with

  firewall-cmd --get-active-zones

One of the gotchas with firewalld is that the changes are made in
either the current running iptables *or* the stored rules, not both. So
if you make a change to the running rule set, those changes won't be
kept the next time you restart firewalld. You can either use the '
--permanent' flag to set the stored rules (but it won't affect the
active rules) or the '--runtime-to-permanent' flag to copy the current
active rules to the stored ones.

The bottom line is that firewalld is just another application that
manipulates the kernel packet routing tables. Use something else if you
prefer it - some of the system tools assume firewalld, but if you are
aware of what's happening it shouldn't be an issue.

> 
> I may as well disable firewalld and let my router handle the firewall.
> 
If you are happy that there is nothing behind your firewall that could
cause a problem then that's an acceptable route.

P.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-28 Thread James Hogarth 
On 28 Jan 2017 3:02 am, "TE Dukes" <tdu...@palmettoshopper.com> wrote:



> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon
> Messmer
> Sent: Friday, January 27, 2017 9:23 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] firewalld
>
> On 01/27/2017 06:01 PM, TE Dukes wrote:
> > I telnet localhost 143, I get connection refused.
> >
> > What zone is used for the local network and what zone is used for
> > outside access?
>
> All traffic from localhost is allowed.  No zone is involved.
>
> The zone for "outside" access depends on which interface receives the
> packet, and what zone you've put that interface in.  I believe that
defaults to
> "public."

 I'm telneting in from ssh on a machine on the local network, still getting
connection refused.

The zone apparently means something because an interface can only be on one.
Moving it to a different zone results in the same error (same services/ports
opened in each zone).

I may as well disable firewalld and let my router handle the firewall.

I don't plan to use my server as a workstation.


Have a read through this and then decide on if you want to use it or not.

You can also switch to iptables-service and mask firewalld if you want the
same behaviour as in C6.

7.3 also has nftables as a tech preview, but I've not finished my article
on that yet.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-27 Thread TE Dukes 


> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon
> Messmer
> Sent: Friday, January 27, 2017 9:23 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] firewalld
> 
> On 01/27/2017 06:01 PM, TE Dukes wrote:
> > I telnet localhost 143, I get connection refused.
> >
> > What zone is used for the local network and what zone is used for
> > outside access?
> 
> All traffic from localhost is allowed.  No zone is involved.
> 
> The zone for "outside" access depends on which interface receives the
> packet, and what zone you've put that interface in.  I believe that
defaults to
> "public."

 I'm telneting in from ssh on a machine on the local network, still getting
connection refused.

The zone apparently means something because an interface can only be on one.
Moving it to a different zone results in the same error (same services/ports
opened in each zone).

I may as well disable firewalld and let my router handle the firewall.

I don't plan to use my server as a workstation.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld

2017-01-27 Thread Gordon Messmer 

On 01/27/2017 06:01 PM, TE Dukes wrote:

I telnet localhost 143, I get connection refused.

What zone is used for the local network and what zone is used for outside
access?


All traffic from localhost is allowed.  No zone is involved.

The zone for "outside" access depends on which interface receives the 
packet, and what zone you've put that interface in.  I believe that 
defaults to "public."

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld

2017-01-27 Thread TE Dukes 
Got 7.3 installed Wednesday, things went so so.

Been working on getting roundcubemail setup and firewalld is kicking my
butt.

I can't figure out all these zones. I opened imap, imaps, pop3, pop3s, smtp,
smtps in zones internal, trusted and public.

I still get connection refused.

I telnet localhost 143, I get connection refused.

What zone is used for the local network and what zone is used for outside
access? Two days and can't access mail.

Is this a Redhat brain child? According to firewalld.org, only Redhat,
CentOS and Fedora are using it.

Not too happy


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld and just a routing between local lans

2016-08-16 Thread lejeczek 

hi
how much different iptables are in 7 from 6 I'm just 
learning, I expected that since IFs belong to the same zone 
traffic between them would pass, be forwarded without any 
extra settings/configuration but, I'm wrong it turns out.
Am I missing something and there actually is a simple way, 
designed to make that routing between lans/interfaces just 
work - a one liner, one option/setting in that 
comprehensive(?) firewalld configuration?
How does firewall make your centos a router of directly 
connected LANs?


many thanks
L.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld cloud-init dhcp error

2016-07-17 Thread 望月忠雄 
Dear members,

Please tell me what's wrong.
After setig firewalld, I got fail on cloud-init with reboot.
The server is rebooted, but I cannot access from internet.
Before reboot I can access form internet.
And before setig firewalld, there's no problem on reboot.

/var/log/cloud-init.log shows following
Jul 17 14:18:46 biz105 cloud-init: ci-info:
!!!Route info
failed
Jul 17 14:21:01 biz105 cloud-init: 2016-07-17 14:21:01,476 -
url_helper.py[WARNING]: Calling '
http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [3/120s]:
unexp
ected error ['NoneType' object has no attribute 'status_code']
Jul 17 14:21:04 biz105 cloud-init: 2016-07-17 14:21:04,482 -
url_helper.py[WARNING]: Calling '
http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [6/120s]:
unexp
ected error ['NoneType' object has no attribute 'status_code']
Jul 17 14:21:07 biz105 cloud-init: 2016-07-17 14:21:07,488 -
url_helper.py[WARNING]: Calling '
http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [9/120s]:
unexp
ected error ['NoneType' object has no attribute 'status_code']


# cat /etc/firewalld/direct.xml


  -s
192.168.1.5 -o eth0 -j SNAT --to 153.153.xxx.xxx
  -s
153.153.xxx.xxx -o eth0 -j DNAT --to 192.168.1.5


# firewall-cmd --zone=external --list-all
external (active)
  interfaces: eth0
  sources:
  services: dns ftp http https imaps pop3s smtp ssh
  ports: 110/tcp 21/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp
143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 8443/tcp 993/tcp
443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

# nmcli c show System-eth0 | grep connection.autoconnect
connection.autoconnect: yes
connection.autoconnect-priority:0
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD and FTP passive mode

2016-05-06 Thread Steve Clark 

On 05/05/2016 09:15 AM, Marcin Trendota wrote:

Howdy

I'm trying to run FTP server behind firewall. And i can't enable passive
mode from the Internet. There are plenty howtos but there aren't many
with my combination.

For now i have configured port forwarding and ftp server itself.

On the router:
# firewall-cmd --list-all --zone=external
external (active)
   interfaces: enp3s1
   sources:
   services: openvpn ssh
   ports: 1194/tcp 2666/tcp 88/tcp
   masquerade: yes
   forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
 port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
 port=88:proto=tcp:toport=80:toaddr=10.0.32.23
   icmp-blocks:
   rich rules:

I also did:
# modprobe ip_conntrack_ftp ports=10090,10100


excerpt form vsftpd.conf on the FTP server:
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100
pasv_addr_resolve=Yes

Do you have pasv_addr set to the hostname of the server?
pasv_address
  Use this option to override the IP address that vsftpd will 
advertise in response to
  the PASV command. Provide a numeric IP address, unless 
pasv_addr_resolve is enabled,
  in which case you can provide a hostname which will be  DNS  
resolved  for  you  at
  startup.

  Default: (none - the address is taken from the incoming connected 
socket)


>From LAN or through VPN it works. But on the public address i can only
log in, cannot turn into passive mode:

Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
220 (vsFTPd 2.2.2)
Name (ftp1.domain.com:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,32,7,39,111).
ftp: connect: Connection timed out

Also this IP looks weird - shouldn't it be public IP?

What am i doing wrong?
TIA.




--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD and FTP passive mode

2016-05-05 Thread James Hogarth 
On 5 May 2016 4:54 p.m., "Gordon Messmer"  wrote:
>
> On 05/05/2016 06:15 AM, Marcin Trendota wrote:
>>
>> Also this IP looks weird - shouldn't it be public IP?
>
>
>
> Yes, it should.  Are you using FTPS (FTP with TLS)?
>
> You probably need to set the pasv_address option.
>
>
>

Although of course FTPS (FTP over SSL) breaks the snooping required for the
related conntracking which makes firewall configuration hell.

Do yourself a favour and drop FTP, switching over to SFTP instead as that's
far easier to secure and you only have to care about the single TCP port
for firewalls.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD and FTP passive mode

2016-05-05 Thread Gordon Messmer 

On 05/05/2016 06:15 AM, Marcin Trendota wrote:

Also this IP looks weird - shouldn't it be public IP?



Yes, it should.  Are you using FTPS (FTP with TLS)?

You probably need to set the pasv_address option.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] FirewallD and FTP passive mode

2016-05-05 Thread Marcin Trendota 
Howdy

I'm trying to run FTP server behind firewall. And i can't enable passive
mode from the Internet. There are plenty howtos but there aren't many
with my combination.

For now i have configured port forwarding and ftp server itself.

On the router:
# firewall-cmd --list-all --zone=external
external (active)
  interfaces: enp3s1
  sources:
  services: openvpn ssh
  ports: 1194/tcp 2666/tcp 88/tcp
  masquerade: yes
  forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
port=88:proto=tcp:toport=80:toaddr=10.0.32.23
  icmp-blocks:
  rich rules:

I also did:
# modprobe ip_conntrack_ftp ports=10090,10100


excerpt form vsftpd.conf on the FTP server:
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100
pasv_addr_resolve=Yes

>From LAN or through VPN it works. But on the public address i can only
log in, cannot turn into passive mode:

Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
220 (vsFTPd 2.2.2)
Name (ftp1.domain.com:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,32,7,39,111).
ftp: connect: Connection timed out

Also this IP looks weird - shouldn't it be public IP?

What am i doing wrong?
TIA.

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD issue

2016-04-22 Thread Gordon Messmer 

On 04/21/2016 03:28 PM, Marcin Trendota wrote:

Also, you probably should specify tun+ instead of tun0, even if you
>think there will only be one tunnel up at any given time.

Specify where?


firewall-cmd --zone=home --add-interface=tun+

Beyond that, I can't really tell what firewalld is doing with forwarded 
traffic from the output you've given, just the incoming traffic.  It 
might be more clear to just post the output of "iptables -L -vn" 
somewhere.  https://paste.fedoraproject.org/ maybe

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD issue

2016-04-21 Thread Chandran Manikandan 
Hi Marcin,
Please check your openvpn config file of Port number then check your
firewalld config on the same port allowed or not.

On Fri, Apr 22, 2016 at 6:28 AM, Marcin Trendota 
wrote:

> On Thursday 21 of April 2016 2:37:49 PM Gordon Messmer wrote:
> > On 04/21/2016 01:33 PM, Marcin Trendota wrote:
> > > It's OpenVPN on chamber.
> > What port is it using?  I don't see the standard port listed in your
> > firewalld rules in either zone.
>
> 1194/udp. I added service openvpn and port 1194/udp (just to be sure) to
> both zones - no change.
>
> [root@chamber openvpn]# firewall-cmd --list-all
> home (default, active)
>   interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1
>   sources:
>   services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs
> openvpn samba samba-client vnc-server
>   ports: 143/tcp 2/tcp 1194/udp
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> [root@chamber openvpn]# firewall-cmd --list-all --zone=external
> external (active)
>   interfaces: enp1s0
>   sources:
>   services: openvpn
>   ports: 2/tcp 1194/udp
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> > Also, you probably should specify tun+ instead of tun0, even if you
> > think there will only be one tunnel up at any given time.
>
> Specify where?
>
> Despite the fact than i can't scan their ports, i'm able to ping those
> hosts.
>
> Maybe it's not firewalld related? I can scan ports from chamber (home
> router). I'll try tcpdump maybe, to see what is going on with packets?
>
> --
> Over And Out
> MoonWolf
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
*Thanks,*
*Manikandan.C*
*System Administrator*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD issue

2016-04-21 Thread Marcin Trendota 
On Thursday 21 of April 2016 2:37:49 PM Gordon Messmer wrote:
> On 04/21/2016 01:33 PM, Marcin Trendota wrote:
> > It's OpenVPN on chamber.
> What port is it using?  I don't see the standard port listed in your
> firewalld rules in either zone.

1194/udp. I added service openvpn and port 1194/udp (just to be sure) to 
both zones - no change.

[root@chamber openvpn]# firewall-cmd --list-all
home (default, active)
  interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1
  sources: 
  services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs 
openvpn samba samba-client vnc-server
  ports: 143/tcp 2/tcp 1194/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@chamber openvpn]# firewall-cmd --list-all --zone=external
external (active)
  interfaces: enp1s0
  sources: 
  services: openvpn
  ports: 2/tcp 1194/udp
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 

> Also, you probably should specify tun+ instead of tun0, even if you
> think there will only be one tunnel up at any given time.

Specify where?

Despite the fact than i can't scan their ports, i'm able to ping those 
hosts.

Maybe it's not firewalld related? I can scan ports from chamber (home 
router). I'll try tcpdump maybe, to see what is going on with packets?

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD issue

2016-04-21 Thread Gordon Messmer 

On 04/21/2016 01:33 PM, Marcin Trendota wrote:

It's OpenVPN on chamber.


What port is it using?  I don't see the standard port listed in your 
firewalld rules in either zone.


Also, you probably should specify tun+ instead of tun0, even if you 
think there will only be one tunnel up at any given time.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD issue

2016-04-21 Thread Marcin Trendota 
On Thursday 21 of April 2016 9:08:09 AM Gordon Messmer wrote:
> On 04/21/2016 03:11 AM, Marcin Trendota wrote:
> > But from host in another location (connected through VPN):
> What host serves the VPN?  If it's another host, how is that host
> connected to the router?  If it's "chamber," what type of VPN is it?

It's OpenVPN on chamber.

I've just noticed that it's similiar from home to the other location.
To clear things: 10.0.49.0/26 it's my home network
10.0.32.0/22 is one of VLANs in work ("the other location").

>From chamber:

[root@chamber ~]# nmap 10.0.32.7



 
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST 


 
Nmap scan report for 10.0.32.7  


 
Host is up (0.053s latency).


 
Not shown: 988 closed ports 


 
PORT STATE SERVICE  


 
21/tcp   open  ftp  


 
25/tcp   open  smtp 


 
80/tcp   open  http 


 
110/tcp  open  pop3 


 
111/tcp  open  rpcbind  


 
143/tcp  open  imap 


 
389/tcp  open  ldap 


 
443/tcp  open  https

Re: [CentOS] FirewallD issue

2016-04-21 Thread Gordon Messmer 

On 04/21/2016 03:11 AM, Marcin Trendota wrote:

But from host in another location (connected through VPN):


What host serves the VPN?  If it's another host, how is that host 
connected to the router?  If it's "chamber," what type of VPN is it?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] FirewallD issue

2016-04-21 Thread Marcin Trendota 
Hello everybody.

Recently i moved external interface to zone "external" on my home
server/router. And something strange is hapening. From my router
(chamber, CentOS7) everything is fine:

[root@chamber ~]# firewall-cmd --list-all
home (default, active)
  interfaces: enp3s0 tun0 virbr0
  sources:
  services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs
samba samba-client vnc-server
  ports: 143/tcp 2/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@chamber ~]# firewall-cmd --list-all --zone=external
external (active)
  interfaces: enp1s0
  sources:
  services:
  ports: 2/tcp
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

[root@chamber ~]# nmap 10.0.49.14

Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 11:57 CEST
Nmap scan report for 10.0.49.14
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORTSTATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 52:54:00:D6:6D:4A (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

But from host in another location (connected through VPN):

 moonwolf  ~  nmap 10.0.49.14

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST
Note: Host seems down. If it is really up, but blocking our ping probes,
try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds
 moonwolf  ~  nmap 10.0.49.14 -Pn -p22

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST
Nmap scan report for svn.karakkhaz.dwarfs (10.0.49.14)
Host is up (0.015s latency).
PORT   STATESERVICE
22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

 moonwolf  ~  ping 10.0.49.14
PING 10.0.49.14 (10.0.49.14) 56(84) bytes of data.
64 bytes from 10.0.49.14: icmp_seq=1 ttl=62 time=9.45 ms
64 bytes from 10.0.49.14: icmp_seq=2 ttl=62 time=26.0 ms
^C
--- 10.0.49.14 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 9.459/17.754/26.050/8.296 ms

What could cause this behavior? Before interface move everything was
working as expected.

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-25 Thread James Hogarth 
On 25 March 2016 at 16:31, Matthew Miller  wrote:

> On Fri, Mar 25, 2016 at 11:26:17AM +, Timothy Murphy wrote:
> > >> I'n wondering if it is possible to have Centos-7 automatically change
> > >> firewall zones, depending on the network we conect to.
> > > The way to do this is changing the zone for the network in
> > > NetworkManager.
> > Are there two different ways of setting firewalld zones,
> > in firewalld and in NetworkManager?
> > Which is taken if they differ?
>
> They can't differ — the configuration is stored in the ifcfg files, no
> matter how you set it.
>
>
>
In this instance you're incorrect Matthew.

If an interface is associated with a zone via firewalld then this config is
in /etc/firewalld/zones/.xml with an interface element in the xml
there.

If NM has connection.zone modified to point to something this then would go
into /etc/sysconfig/network-scripts/ifcfg-* (as ZONE=)

And as a quick test the NM value overrides the firewalld one.

To verify this in a VM, assuming an interface name of eth0, do the
following:

== Make the firewalld change ==
firewall-cmd --change-interface=eth0 --zone=work
firewall-cmd --runtime-to-permanent

== Verify the config ==
firewall-cmd --get-active-zones
cat /etc/firewalld/zones/work.xml

** At this point the config all points to eth0 in work and verification
confirms this **

== Make the NM change ==
nmcli c mod "System eth0" connection.zone home

== Verify the config ==
firewall-cmd --get-active-zones
cat /etc/sysconfig/network-scripts/ifcfg-eth0
cat /etc/firewalld/zones/work.xml

** At this point the firewalld config points to eth0 in work but the NM
config points to home and verification confirms this different config but
home in use **

== Note the persistence ==
reboot
firewall-cmd --get-active-zones
cat /etc/sysconfig/network-scripts/ifcfg-eth0
cat /etc/firewalld/zones/work.xml

** The same stituation pre reboot appears **

I assume this is the case as NM explicitly puts an interface into a zone as
part of the connection profile coming up. I haven;t monitored dbus to see
if firewalld brings it up on one and NM changes it or not... easy for
someone else to test though ;)

> I find the firewalld definition of "zones" rather confusing.
> > I run shorewall on my home server, and that seems to me
> > to have a much simpler definition of zones.
>
> Think of "zone" as "set of presets".
>

It's a really horrible UX issue frankly, I've seen it confuse many people
at this point. This is made worse by the Fedora products creating their own
zones and defaulting to those with EL7 using the firewalld upstream default
of Public, which the name itself is confusing  when it doesn't really
relate to anything Public but is just a name.

I've seen people assume work or home are detected by subnets or local net
only for instance - when again it's just labels for the larger part,

Upstream firewalld has been reluctant to change this though from what I've
seen and you can't even remove the default zones nicely to get a clearer
view of things.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-25 Thread Matthew Miller 
On Fri, Mar 25, 2016 at 11:26:17AM +, Timothy Murphy wrote:
> >> I'n wondering if it is possible to have Centos-7 automatically change
> >> firewall zones, depending on the network we conect to.
> > The way to do this is changing the zone for the network in
> > NetworkManager.
> Are there two different ways of setting firewalld zones,
> in firewalld and in NetworkManager?
> Which is taken if they differ?

They can't differ — the configuration is stored in the ifcfg files, no
matter how you set it.


> I find the firewalld definition of "zones" rather confusing.
> I run shorewall on my home server, and that seems to me
> to have a much simpler definition of zones.

Think of "zone" as "set of presets".

-- 
Matthew Miller

Fedora Project Leader
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-25 Thread Timothy Murphy 
Matthew Miller wrote:

>> I'n wondering if it is possible to have Centos-7 automatically change
>> firewall zones, depending on the network we conect to.

> The way to do this is changing the zone for the network in
> NetworkManager.

Are there two different ways of setting firewalld zones,
in firewalld and in NetworkManager?
Which is taken if they differ?

> (This works easily for wifi networks and is kind of a
> pain for wired ones, unfortunately, since there's not necessarily a
> good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I
> don't remember offhand when this hit, but in Fedora, run the
> NetworkManager config panel, hit config on a network, and change the
> zone on the Security tab.
> 
> Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for
> the network.
> 
> I'm hoping in the future to make this better, but there are actually a
> lot of different parts involved so it's hard to get everyone to agree
> on the best approach.
> 
> I personally make "public" my default zone, and then add zones that
> should be more trusted to networks that should be more open.

I find the firewalld definition of "zones" rather confusing.
I run shorewall on my home server, and that seems to me
to have a much simpler definition of zones.

-- 
Timothy Murphy  
gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Fred Smith 
On Thu, Mar 24, 2016 at 06:39:37PM -0400, Matthew Miller wrote:

Thanks for the info, Matthew!

Fred
> On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote:
> > I'n wondering if it is possible to have Centos-7 automatically change
> > firewall zones, depending on the network we conect to.
> 
> The way to do this is changing the zone for the network in
> NetworkManager. (This works easily for wifi networks and is kind of a
> pain for wired ones, unfortunately, since there's not necessarily a
> good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I
> don't remember offhand when this hit, but in Fedora, run the
> NetworkManager config panel, hit config on a network, and change the
> zone on the Security tab.
> 
> Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for
> the network.
> 
> I'm hoping in the future to make this better, but there are actually a
> lot of different parts involved so it's hard to get everyone to agree
> on the best approach.
> 
> I personally make "public" my default zone, and then add zones that
> should be more trusted to networks that should be more open.
> 
> -- 
> Matthew Miller
> 
> Fedora Project Leader
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
"Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of
 heaven, but only he who does the will of my Father who is in heaven."
-- Matthew 7:21 (niv) -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Fred Smith 
On Thu, Mar 24, 2016 at 09:18:16PM +, James Hogarth wrote:

Thanks, James, that looks pretty good. I'll look into it and probably
give it a try.

Fred
> On 24 March 2016 at 18:01, Fred Smith  wrote:
> 
> > Hi all!
> >
> > I'n wondering if it is possible to have Centos-7 automatically change
> > firewall zones, depending on the network we conect to.
> >
> > my default zone is "home" and it has some ports open that probably
> > shouldn't be open when I'm on someone elose's network.
> >
> > so I'm thinking that if there's a way to have it always use home when
> > I'm at home, and external when I'm not, it would be great.
> >
> > I see that firewall-cmd has a ton of options, but not sure which one(s)
> > I'd need for switching. (I see one for setting default zone, but I didn't
> > see one for setting current zone--maybe I'm blind).
> >
> > I'm also not at all sure how to invoke it at a proper time,... perhaps
> > some udev rules?
> >
> >
> > anyone got any wisdom they can drop on me?
> >
> >
> The default zones are poorly named and should never have been included -
> especially given most of them aren't in use on any given system.
> 
> For a look into how to make use of firewalld take a look at this:
> 
> https://www.hogarthuk.com/?q=node/9
> 
>  The best way to handle the scenario you describe would be multiple NM
> connection profiles (don't have it set to auto) so that you can set
> connection.zone correctly on each for the right network profile.
> 
> Then when you nmcli c up work (or home or whatever) to bring up that
> connection profile it'll come up in the right zone.
> 
> This manual nmcli c up is only needed if these are ethernet profiles as
> there's no link between subnet and connection profile
> 
> If these are WiFi connections NM already has different connection profiles
> and picks one to match the SSID - so you could set the right
> connection.zone in that.
> 
> The NM article goes into some details on connection profiles
> 
> https://www.hogarthuk.com/?q=node/8
> 
> Alternatively if you know the subnets that will be connecting to you at
> work and home you could set your default profile to reject and create zones
> with appropriate incoming rules bound to the source subnets contacting your
> system.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
 God made him who had no sin
  to be sin for us, so that in him
 we might become the righteousness of God."
--- Corinthians 5:21 -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Matthew Miller 
On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote:
> I'n wondering if it is possible to have Centos-7 automatically change
> firewall zones, depending on the network we conect to.

The way to do this is changing the zone for the network in
NetworkManager. (This works easily for wifi networks and is kind of a
pain for wired ones, unfortunately, since there's not necessarily a
good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I
don't remember offhand when this hit, but in Fedora, run the
NetworkManager config panel, hit config on a network, and change the
zone on the Security tab.

Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for
the network.

I'm hoping in the future to make this better, but there are actually a
lot of different parts involved so it's hard to get everyone to agree
on the best approach.

I personally make "public" my default zone, and then add zones that
should be more trusted to networks that should be more open.

-- 
Matthew Miller

Fedora Project Leader
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread James Hogarth 
On 24 March 2016 at 18:01, Fred Smith  wrote:

> Hi all!
>
> I'n wondering if it is possible to have Centos-7 automatically change
> firewall zones, depending on the network we conect to.
>
> my default zone is "home" and it has some ports open that probably
> shouldn't be open when I'm on someone elose's network.
>
> so I'm thinking that if there's a way to have it always use home when
> I'm at home, and external when I'm not, it would be great.
>
> I see that firewall-cmd has a ton of options, but not sure which one(s)
> I'd need for switching. (I see one for setting default zone, but I didn't
> see one for setting current zone--maybe I'm blind).
>
> I'm also not at all sure how to invoke it at a proper time,... perhaps
> some udev rules?
>
>
> anyone got any wisdom they can drop on me?
>
>
The default zones are poorly named and should never have been included -
especially given most of them aren't in use on any given system.

For a look into how to make use of firewalld take a look at this:

https://www.hogarthuk.com/?q=node/9

 The best way to handle the scenario you describe would be multiple NM
connection profiles (don't have it set to auto) so that you can set
connection.zone correctly on each for the right network profile.

Then when you nmcli c up work (or home or whatever) to bring up that
connection profile it'll come up in the right zone.

This manual nmcli c up is only needed if these are ethernet profiles as
there's no link between subnet and connection profile

If these are WiFi connections NM already has different connection profiles
and picks one to match the SSID - so you could set the right
connection.zone in that.

The NM article goes into some details on connection profiles

https://www.hogarthuk.com/?q=node/8

Alternatively if you know the subnets that will be connecting to you at
work and home you could set your default profile to reject and create zones
with appropriate incoming rules bound to the source subnets contacting your
system.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld question

2016-03-24 Thread Fred Smith 
Hi all!

I'n wondering if it is possible to have Centos-7 automatically change
firewall zones, depending on the network we conect to.

my default zone is "home" and it has some ports open that probably
shouldn't be open when I'm on someone elose's network.

so I'm thinking that if there's a way to have it always use home when
I'm at home, and external when I'm not, it would be great.

I see that firewall-cmd has a ton of options, but not sure which one(s)
I'd need for switching. (I see one for setting default zone, but I didn't
see one for setting current zone--maybe I'm blind).

I'm also not at all sure how to invoke it at a proper time,... perhaps
some udev rules?


anyone got any wisdom they can drop on me?

thanks!

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
 God made him who had no sin
  to be sin for us, so that in him
 we might become the righteousness of God."
--- Corinthians 5:21 -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Firewalld

2016-01-28 Thread Emmett Culley 
Yesterday I noticed that I was not able to ping one of our development servers 
so I logged in via VNC and ran the Firewalld GUI.

To my surprise, except for the interface definition for public and trusted 
zones, nothing seemed to be configured.  That is, none of the services were 
checked off that we want open at the firewall.  Also, this server is a gateway 
and masquerading and forwarding appears to be off as well.

So it looks like the GUI is not correctly reading the firewalld configuration.

I can find nothing in Google bout this.

Emmett
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

  1   2   >