-
Notifications
You must be signed in to change notification settings - Fork 8
AlmaLinux8
Alma Linux 8 is clone of original RHEL/CentOS 8.
I'm unable to use current version 9, because it no longer works on AMD Opteron Generation 2 (G2)
CPU (RHEL 9 requires x86-64-v2
).
Testing
curl -fLO https://ftp.linux.cz/pub/linux/almalinux/8/isos/x86_64/AlmaLinux-8.9-x86_64-minimal.iso
Problem:
- my NVidia LAN does not work because missing
forcedeth
module (removed from late RHEL 7 by RedHat see https://linux.web.cern.ch/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/) - but it seems that we can use:
- finally downloaded to other computer:
- transferred on USB pendrive to target
- simply run
rpm -ivh kmod-forcedeth-0.0-10.el8_9.elrepo.x86_64.rpm
- after reboot all LANs should be automatically configured
- once network is working we can enable elrepo:
dnf install elrepo-release
To build RPMS we have to install
sudo dnf install rpmdevtools rpm-build yum-utils
# typical tools used for building:
sudo dnf install gcc make cmake gcc-c++ bison flex automake autoconf libtool
Then run as non-privileged user:
rpmdev-setuptree
Example downloading source package and unpacking tree:
cd
yumdownloader --source selinux-policy-targeted
rpm -ivh selinux-policy-3.14.3-128.el8_9.1.src.rpm
sudo yum-builddep selinux-policy-targeted
rpmbuild -bp ~/rpmbuild/SPECS/selinux-policy.spec
# see ~/rpmbuild/BUILD
Example building Midnight Commander RPM:
cd
yumdownloader --source mc
rpm -ivh mc-4.8.19-9.el8.src.rpm
sudo yum-builddep mc
Problem: No matching package to install: 'aspell-devel'
dnf search -v --repo '*' aspell-devel
aspell-devel.i686 : Libraries and header files for Aspell development
Repo : powertools
Matched from:
Provide : aspell-devel = 12:0.60.6.1-22.el8
# tried just --repo powertools but there was enother missing dependency:
sudo dnf install --repo '*' aspell-devel
sudo yum-builddep mc
# this command will rebuild both src.rpm and arch.rpm:
rpmbuild -ba ~/rpmbuild/SPECS/mc.spec
# rpms stored to ~/rpmbuild/SRPMS/ and ~/rpmbuild/RPMS/x86_64/
Or you can enable powertools
(and its deps) repo permamently with:
sudo dnf config-manager --enable powertools
Firewalld (CLI firewall-cmd
) has its own logic that makes things difficult:
First - log at least unicast rejects (rejected access to single IP address)
firewall-cmd --set-log-denied=unicast
Task:
- restrict SSH access to single IP address
- allow other (for example http) for all IP addresses
There are 2 choices
- see https://docs.rockylinux.org/guides/security/firewalld-beginners/
-
- using "rich rule"
-
- using new zone
Let's try new zone:
- we will combine:
firewall-cmd --new-zone=trusted-ssh --permanent
# replace 192.168.X.Y/32 with allowed client IP
firewall-cmd --zone=trusted-ssh --add-source=192.168.X.Y/32 --permanent
firewall-cmd --permanent --zone=trusted-ssh --add-service=ssh
firewall-cmd --zone=trusted-ssh --list-all --permanent
# Removed empty entries:
trusted-ssh (active)
target: default
icmp-block-inversion: no
sources: 192.168.X.Y/32
services: ssh
forward: no
masquerade: no
# now we have to remove ssh from public
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --list-all
public
target: default
icmp-block-inversion: no
services: cockpit dhcpv6-client
# now ensure that you have backup connection and run:
firewall-cmd --reload
firewall-cmd --get-active-zone
public
interfaces: eth0
trusted-ssh
sources: 192.168.X.Y/32
To see real rules you can try this command:
# very long output:
nft list ruleset
Example adding logging rule:
- https://www.suse.com/support/kb/doc/?id=000020833
- WARNING! On Alma 8 normal firewalld rules use NF tables, but Direct rules use iptables (!) However it somehow seems to work..
Here is an experimental rule to log all incoming connections from remote to this host:
# for IPv4
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m conntrack \
--ctstate NEW,UNTRACKED -j LOG --log-prefix "INPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -m conntrack \
--ctstate NEW,UNTRACKED -j LOG --log-prefix "INPUTv6 " --log-level 4
Use dmesg
to see logged packets. Note: logs also UDP stuff (because connection
tracking is watching also these - for example for NAT support)
Experimental rule to track all outgoing connections (noisy!):
# for IPv4
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m conntrack \
--ctstate NEW,UNTRACKED -j LOG --log-prefix "OUTPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -m conntrack \
--ctstate NEW,UNTRACKED -j LOG --log-prefix "OUTPUTv6 " --log-level 4
Troubleshooting:
- follow: https://github.com/firewalld/firewalld/issues/440
- and set in
/etc/firewalld/firewalld.conf
IndividualCalls=yes
- and restart firewalld:
systemctl restart firewalld
Copyright © Henryk Paluch. All rights reserved.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License