Carl's blog

samba smb3 multichannel on 802.3ad/lacp bond

by on May.19, 2017, under Computer Stuff

Still working on this.
Need to alias the bond “ip link add link bon0 name bond0-alias address 11:22:33:44:55:66 type macvlan” doesn’t quite work because the bonding driver just flips through the same slave interfaces regardless of whether alias or original bond0 device is being used.

Next thing to try: alias the slaves and create a separate bond from them. This is on the NAS box (CentOS 7) running NFS and Samba.

On the Windows side, Server 2016 is running on Proxmox which is using a similar quad-NIC LACP bond. A duplicate virtIO interface was added to the Windows guest in Proxmox. Windows guest seems to be sending and receiving over both interfaces quite happily (but only at half rate), not sure what Proxmox/Linux is doing on the host side yet.

Leave a Comment more...

Sage HR 4.0 / 2012 import from Payroll nothing happens

by on Apr.27, 2017, under Computer Stuff

Clicking ‘Import from Payroll’ results in nothing happening at all.

The “logs” folder is missing from the data directory.

Should be found at:
\\server\sagehr$\Data\hr_company_0001\Documents\Logs

Leave a Comment more...

Compiling gr-fosphor on Fedora 25 / CentOS 7 with intel opencl

by on Apr.02, 2017, under Computer Stuff

Download the Intel OpenCL runtime & libraries (you don’t need the sdk).
install those RPMs. They will install to /opt/intel/opencl

cd gr-fosphor/build

here is the key step:

cmake -DOpenCL_LIBRARY=/opt/intel/opencl/libOpenCL.so -DOpenCL_INCLUDE_DIR=/opt/intel/opencl/include ..

then just carry on with the normal instructions:

make
sudo make install
sudo ldconfig
Leave a Comment more...

Cisco SPA phones not getting IP via DHCP

by on Feb.23, 2017, under Computer Stuff, SIP / VoIP

This is a pain, and I keep forgetting the cause. So to save myself the trouble in future, here it is..

It’s simple – another device has the IP address that your DHCP server is handing out to the SPA504g/spa508g phones, and so the phones are refusing to accept this IP address.

The Cisco SPA phone is being handed e.g. 192.168.1.56 by your DHCP server, but another device is using this IP address already. It’s probably the DHCP server that is at fault. Certainly in my case, Windows 2008 DHCP does not have a record of some of the existing leases.

Look in your DHCP lease table, find the MAC of the offending phone, have a look what IP the DHCP server thinks is has leased to the phone. With the phone powered off, check if you can ping that IP. If you can ping that IP, then you know that the DHCP server is OFFERing out an IP address that is already in use.

If the DHCP server is Windows, and the scope is e.g. 192.168.1.11 – 192.168.1.100, then a quick fix is to temporarily change the scope range to something like 192.168.1.60  – 192.168.1.80, thus forcing the DHCP server to hand out a different IP address than the original 192.168.1.56 that it was handing out. The phones will then work, and then you can set the scope back to the original range. The DHCP server will record the lease and hand out that new IP address in future.

Leave a Comment more...

Patton SmartNode BRI ISDN as an Asterisk gateway.

by on Dec.30, 2016, under Computer Stuff, SIP / VoIP

I’ve looked at and tried a few configuration files out there, and used Patton’s web wizard. None are particularly clear about who registers with who, etc. I also had problems with “The other person has hung up” recorded message from BT, when the other party hung up the call (cured by “allow early disconnect” in the SmartNode SIP profile).

Anyway, here is a configuration file for a Smartnode 4554 dual-BRI. There is no registration or SIP authentication. It is meant for a back-to-back Asterisk <-> Smartnode setup.

Before I get started, here is the trunk configuration, from FreePBX. It is using chan_sip, not chan_pjsip. In my builds, I disable pjsip (for the time being), and move chan_sip back to the former default of UDP port 5060. This is because I use a lot of mixed equipment and the troubleshooting has been extensive, and still, some minor issues persist between PJSIP on Asterisk/FPBX and the various brands of desk phones, cordless phones, gateways, and SIP trunk providers that I use.

One thing to note: I had to turn off “Send Progress” in my ‘RingAll’ Ring Group in FreePBX. The caller did not hear a ringback tone when calling in, if the destination was this ring group.

As usual, you do not need to enter anything at all on the ‘incoming’ settings in FreePBX. Yes this is counter-intuitive, and yes this system makes both incoming and outgoing calls via the gateway, but this is just how FreePBX manages the trunk setup. I never have, and never do put anything in the ‘incoming’ settings part of the chan_sip trunk setup in FreePBX, whether I am using a SIP trunk from an ITSP (Gamma, Voiceflex), a Cisco 2811 with an E1 PRI module, or this Patton Smartnode BRI gateway.

In these configuration examples, FreePBX is on 192.168.0.101. The Smartnode Sn4554 is on 192.168.0.99

OK, so once again, this is the FreePBX chan_sip trunk configuration. Just put the following in the Outgoing ‘Peer Details’ box (change the host= to be the IP address that you use for the Smartnode).

type=friend
insecure=very
host=192.168.0.99
dtmfmode=RFC2833

Next we have the SmartNode configuration. Copy and paste this into notepad, save it, then use the import facility in the web front-end to import it. Do note the “interface WAN -> ipaddress” stuff. You can change it to “dhcp” if you like, or alter the IP address before you do the import.

#----------------------------------------------------------------#
#                                                                #
# SN4554/2BIS/EUI                                                #
# R5.9 2012-09-05 SIP                                            #
# 2016-12-30T14:17:37                                            #
# SN/00A0BA0528A1                                                #
# Generated configuration file                                   #
#                                                                #
#----------------------------------------------------------------#

cli version 3.20
clock local default-offset +00:00
webserver port 80 language en

system

  ic voice 0

system
  clock-source 1 bri 0 1

profile ppp default

profile tone-set default

profile voip default
  codec 1 g711alaw64k rx-length 20 tx-length 20
  codec 2 g711ulaw64k rx-length 20 tx-length 20
  fax transmission 1 relay t38-udp
  fax transmission 2 bypass g711alaw64k rx-length 20 tx-length 20
  fax transmission 3 bypass g711ulaw64k rx-length 20 tx-length 20
  modem transmission 1 bypass g711alaw64k rx-length 20 tx-length 20
  modem transmission 2 bypass g711ulaw64k rx-length 20 tx-length 20

profile pstn default

profile sip default
  no autonomous-transitioning

profile aaa default
  method 1 local
  method 2 none

context ip router

  interface WAN
    ipaddress 192.168.0.99 255.255.255.0

context cs switch
  national-prefix 0
  international-prefix 00

  routing-table called-e164 RT_ISDN_TO_SIP
    route .T dest-interface IF_SIP

  interface isdn IF_ISDN_00
    route call dest-table RT_ISDN_TO_SIP
    call-reroute emit
    diversion emit

  interface isdn IF_ISDN_01
    route call dest-table RT_ISDN_TO_SIP
    call-reroute emit
    diversion emit

  interface sip IF_SIP
    bind context sip-gateway GW_SIP
    route call dest-service SRV_HG
    remote 192.168.0.101
    early-disconnect

  service hunt-group SRV_HG
    drop-cause normal-unspecified
    drop-cause no-circuit-channel-available
    drop-cause network-out-of-order
    drop-cause temporary-failure
    drop-cause switching-equipment-congestion
    drop-cause access-info-discarded
    drop-cause circuit-channel-not-available
    drop-cause resources-unavailable
    route call 1 dest-interface IF_ISDN_00
    route call 2 dest-interface IF_ISDN_01

context cs switch
  no shutdown

location-service SER_LOC
  domain 1 192.168.0.101
  match-any-domain

context sip-gateway GW_SIP

  interface IF_GWSIP
    bind interface WAN context router port 5060

context sip-gateway GW_SIP
  bind location-service SER_LOC
  no shutdown

port ethernet 0 0
  bind interface WAN router
  no shutdown

port bri 0 0
  clock auto
  encapsulation q921

  q921
    permanent-layer2
    protocol pp
    uni-side auto
    encapsulation q931

    q931
      protocol dss1
      uni-side user
      bchan-number-order ascending
      encapsulation cc-isdn
      bind interface IF_ISDN_00 switch

port bri 0 0
  no shutdown

port bri 0 1
  clock auto
  encapsulation q921

  q921
    permanent-layer2
    protocol pp
    uni-side auto
    encapsulation q931

    q931
      protocol dss1
      uni-side user
      bchan-number-order ascending
      encapsulation cc-isdn
      bind interface IF_ISDN_01 switch

port bri 0 1
  no shutdown

 

 

Leave a Comment more...

beginnings of arduino dual i2c slave for mi-light remote RGB+CCT dual white

by on Nov.12, 2016, under Uncategorized

This is as far as I got, then I had to refocus my life for a bit.

it acts as two independent i2c slaves on the same address (two separate buses). The idea is to take the place of the two capacitive touch-sensors in the MiLight remote, and pretend to be them, and get the microcontroller on the little RF header board in the remote to send out the commands we want. This should overcome the need to understand the new RGB+DualWhite (RGB+CCT) MiLight protocol with its as yet unbroken encryption.

This code is terrible and it will only spit out the same packet, but it’s a start. I was able to unpredictably get the bulb to change from off to on or flashing or blue.

I used a Feather M0, the ARM one, which can run two i2c buses at the same time via its sercom thing.

I think I left some of the code commented out for the second i2c bus, before I went to sleep.. i was just experimenting. you can uncomment it, it was working.

// Wire Slave Sender
// by Nicholas Zambetti <http://www.zambetti.com>

// Demonstrates use of the Wire library
// Sends data as an I2C/TWI slave device
// Refer to the “Wire Master Reader” example for use with this

// Created 29 March 2006

// This example code is in the public domain.
#include <Wire.h>
#include “wiring_private.h” // pinPeripheral() function

TwoWire myWire(&sercom1, 13, 11); // first pin is SDA, second pin is SCL

int reqNo_ch1 = 0;
int reqNo_ch2 = 0;
int on = 0;

char val1;
char val2;
char ch1read;
char ch2read;
char ch1write;
char ch2write;

byte data1[5];
byte data2[5];
byte cmdon[] = {0x02, 0x00, 0x01, 0x00, 0x00};
byte cmdoff[] = {0x02, 0x00, 0x02, 0x00, 0x00};
byte btnReleased[] = {0x02, 0x00, 0x00, 0x00, 0x00};

void setup() {
Wire.begin(0x53); // join first i2c bus with address 0x53
Wire.onRequest(requestEvent1); // register event for i2c bus 1
Wire.onReceive(receiveEvent1); // register receive event (for Writes from master) for i2c bus 1
myWire.begin(0x53); // join second i2c bus with address 0x53
pinPeripheral(11, PIO_SERCOM);
pinPeripheral(13, PIO_SERCOM); // Assign pins 13 & 11 to SERCOM functionality
myWire.onRequest(requestEvent2); // register event for i2c bus 2
myWire.onReceive(receiveEvent2); // register receive event (for Writes from master) for i2c bus 2
// while (!Serial);
Serial.begin(115200); // start serial for output

}

void loop() {
if (ch1read == 1) {
if (on == 1) Serial.print(“R1 on “);
if (on == 0) Serial.print(“R1 off “);
ch1read = 0;
}
if (ch1write == 1) {
Serial.print(“W1:”);
PrintHex83(data1, 5);
ch1write = 0;
}

if (ch2read == 1) {
Serial.print(“R2”);
ch2read = 0;
}
if (ch2write == 1) {
Serial.print(“W2:”);
PrintHex83(data2, 5);
ch2write = 0;
}

}
// function that executes whenever data is requested by master
// this function is registered as an event, see setup()
void requestEvent1() {
ch1read = 1;
if (reqNo_ch1 >1) {
if (on == 0) {
Wire.write(cmdon, 5); // respond with “on”
on = 1;
//reqNo_ch1 = ;
}
else {
Wire.write(cmdoff, 5); // respond with “off”
on = 0;
//reqNo_ch1 = 0;
}
reqNo_ch1–;
}
else {
Wire.write(btnReleased, 5); // respond with “button released”
reqNo_ch1 = 5;
}
}

void receiveEvent1(int howMany)
{
ch1write = 1;
int x = 1;
while (Wire.available())
{
data1[x] = Wire.read(); // receive byte as a character
x++;
}
}

void requestEvent2() {
ch2read = 1;
// if (reqNo_ch2 >1) {
// if (on == 0) {
// myWire.write(cmdon, 5); // respond with “on”
// on = 1;
// reqNo_ch2 = 0;
// }
// else {
// myWire.write(cmdoff, 5); // respond with “off”
// on = 0;
// }
// reqNo_ch2–;
// }
// else {
myWire.write(btnReleased, 5); // respond with “button released”
// reqNo_ch2 = 5;
// }
}

void receiveEvent2(int howMany)
{
ch2write = 1;
int x=1;
while (myWire.available())
{
data2[x] = myWire.read(); // receive byte as a character
x++;
}
}

extern “C” {
void SERCOM1_Handler(void) {
myWire.onService();
}
}

void PrintHex83(uint8_t *data, uint8_t length) // prints 8-bit data in hex
{
char tmp[length*2+1];
byte first ;
int j=0;
for (uint8_t i=0; i<length; i++)
{
first = (data[i] >> 4) | 48;
if (first > 57) tmp[j] = first + (byte)39;
else tmp[j] = first ;
j++;

first = (data[i] & 0x0F) | 48;
if (first > 57) tmp[j] = first + (byte)39;
else tmp[j] = first;
j++;
}
tmp[length*2] = 0;
Serial.println(tmp);
}

Leave a Comment more...

Excel comparing dates greater/less than when one includes a time

by on Nov.08, 2016, under Computer Stuff

Want to check if the job done (Cell C2) was on or before the deadline day (C1)

C1: 23/07/2015 (cell contains date only)
C2: 23/07/2015 01:00 (cell contains date and time)

instead of =IF(C2<=C1,”Done on time”,”Not done on time”)

Instead use:
=IF(C2<C1+1,”Done on time”,”Not done on time”)

Seems to work for me.

Have changed it from <=, to just less-than (<), but incremented the deadline by a day.

Leave a Comment more...

CentOS / RHEL 7 firewall qs

by on Oct.26, 2016, under Computer Stuff

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

How To Set Up a Firewall Using FirewallD on CentOS 7

Posted Jun 18, 2015 370kviews Firewall CentOS

Introduction

Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this guide, we will cover how to set up a firewall for your server and show you the basics of managing the firewall with thefirewall-cmd administrative tool (if you’d rather use iptables with CentOS, follow this guide).

Basic Concepts in Firewalld

Before we begin talking about how to actually use the firewall-cmd utility to manage your firewall configuration, we should get familiar with a few basic concepts that the tool introduces.

Zones

The firewalld daemon manages groups of rules using entities called “zones”. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.

For computers that might move between networks frequently (like laptops), this kind of flexibility provides a good method of changing your rules depending on your environment. You may have strict rules in place prohibiting most traffic when operating on a public WiFi network, while allowing more relaxed restrictions when connected to your home network. For a server, these zones are not as immediately important because the network environment rarely, if ever, changes.

Regardless of how dymaic your network environment may be, it is still useful to be familiar with the general idea behind each of the pre-defined zones for firewalld. In order from least trusted to most trusted, the pre-defined zones within firewalld are:

  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate.

Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Turning on the Firewall

Before we can begin to create our firewall rules, we need to actually turn the daemon on. The systemdunit file is called firewalld.service. We can start the daemon for this session by typing:

  • sudo systemctl start firewalld.service

We can verify that the service is running and reachable by typing:

  • firewall-cmd –state
output
running

This indicates that our firewall is up and running with the default configuration.

At this point, we will not enable the service. Enabling the service would cause the firewall to start up at boot. We should wait until we have created our firewall rules and had an opportunity to test them before configuring this behavior. This can help us avoid being locked out of the machine if something goes wrong.

Getting Familiar with the Current Firewall Rules

Before we begin to make modifications, we should familiarize ourselves with the default environment and rules provided by the daemon.

Exploring the Defaults

We can see which zone is currently selected as the default by typing:

  • firewall-cmd –get-default-zone
output
public

Since we haven’t given firewalld any commands to deviate from the default zone, and none of our interfaces are configured to bind to another zone, that zone will also be the only “active” zone (the zone that is controlling the traffic for our interfaces). We can verify that by typing:

  • firewall-cmd –get-active-zones
output
public
  interfaces: eth0 eth1

Here, we can see that we have two network interfaces being controlled by the firewall (eth0 and eth1). They are both currently being managed according to the rules defined for the public zone.

How do we know what rules are associated with the public zone though? We can print out the default zone’s configuration by typing:

  • firewall-cmd –list-all
output
public (default, active)
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

We can tell from the output that this zone is both the default and active and that the eth0 and eth1interfaces are associated with this zone (we already knew all of this from our previous inquiries). However, we can also see that this zone allows for the normal operations associated with a DHCP client (for IP address assignment) and SSH (for remote administration).

Exploring Alternative Zones

Now we have a good idea about the configuration for the default and active zone. We can find out information about other zones as well.

To get a list of the available zones, type:

  • firewall-cmd –get-zones
output
block dmz drop external home internal public trusted work

We can see the specific configuration associated with a zone by including the --zone= parameter in our --list-all command:

  • firewall-cmd –zone=home –list-all
output
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

You can output all of the zone definitions by using the --list-all-zones option. You will probably want to pipe the output into a pager for easier viewing:

  • firewall-cmd –list-all-zones | less

Selecting Zones for your Interfaces

Unless you have configured your network interfaces otherwise, each interface will be put in the default zone when the firewall is booted.

Changing the Zone of an Interface for the Current Session

You can transition an interface between zones during a session by using the --zone= parameter in combination with the --change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.

For instance, we can transition our eth0 interface to the “home” zone by typing this:

  • sudo firewall-cmd –zone=home –change-interface=eth0
output
success
Note

Whenever you are transitioning an interface to a new zone, be aware that you are probably modifying the services that will be operational. For instance, here we are moving to the “home” zone, which has SSH available. This means that our connection shouldn’t drop. Some other zones do not have SSH enabled by default and if your connection is dropped while using one of these zones, you could find yourself unable to log back in.
We can verify that this was successful by asking for the active zones again:

  • firewall-cmd –get-active-zones
output
home
  interfaces: eth0
public
  interfaces: eth1

If the firewall is completely restarted, the interface will revert to the default zone:

  • sudo systemctl restart firewalld.service
  • firewall-cmd –get-active-zones
output
public
  interfaces: eth0 eth1

Changing the Zone of your Interface Permanently

Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. On CentOS, these configurations are defined within the /etc/sysconfig/network-scriptsdirectory with files of the format ifcfg-interface.

To define a zone for the interface, open up the file associated with the interface you’d like to modify. We’ll demonstrate making the change we showed above permanent:

  • sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0

At the bottom of the file, set the ZONE= variable to the zone you wish to associate with the interface. In our case, this would be the “home” interface:

/etc/sysconfig/network-scripts/ifcfg-eth0
. . .

DNS1=2001:4860:4860::8844
DNS2=2001:4860:4860::8888
DNS3=8.8.8.8
ZONE=home

Save and close the file.

To implement your changes, you’ll have to restart the network service, followed by the firewall service:

  • sudo systemctl restart network.service
  • sudo systemctl restart firewalld.service

After your firewall restarts, you can see that your eth0 interface is automatically placed in the “home” zone:

  • firewall-cmd –get-active-zones
output
home
  interfaces: eth0
public
  interfaces: eth1

Make sure to revert these changes if this is not the actual zone you’d like to use for this interface.

Adjusting the Default Zone

If all of your interfaces can best be handled by a single zone, it’s probably easier to just select the best default zone and then use that for your configuration.

You can change the default zone with the --set-default-zone= parameter. This will immediately change any interface that had fallen back on the default to the new zone:

  • sudo firewall-cmd –set-default-zone=home
output
home
  interfaces: eth0 eth1

Setting Rules for your Applications

The basic way of defining firewall exceptions for the services you wish to make available is easy. We’ll run through the basic idea here.

Adding a Service to your Zones

The easiest method is to add the services or ports you need to the zones you are using. Again, you can get a list of the available services with the --get-services option:

  • firewall-cmd –get-services
output
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
Note

You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory. For instance, the SSH service is defined like this:

/usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>

You can enable a service for a zone using the --add-service= parameter. The operation will target the default zone or whatever zone is specified by the --zone= parameter. By default, this will only adjust the current firewall session. You can adjust the permanent firewall configuration by including the --permanentflag.

For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our “public” zone for this session by typing:

  • sudo firewall-cmd –zone=public –add-service=http

You can leave out the --zone= if you wish to modify the default zone. We can verify the operation was successful by using the --list-all or --list-services operations:

  • firewall-cmd –zone=public –list-services
output
dhcpv6-client http ssh

Once you have tested that everything is working as it should, you will probably want to modify the permanent firewall rules so that your service will still be available after a reboot. We can make our “public” zone change permanent by typing:

  • sudo firewall-cmd –zone=public –permanent –add-service=http

You can verify that this was successful by adding the --permanent flag to the --list-servicesoperation. You need to use sudo for any --permanent operations:

  • sudo firewall-cmd –zone=public –permanent –list-services
output
dhcpv6-client http ssh

Your “public” zone will now allow HTTP web traffic on port 80. If your web server is configured to use SSL/TLS, you’ll also want to add the https service. We can add that to the current session and the permanent rule-set by typing:

  • sudo firewall-cmd –zone=public –add-service=https
  • sudo firewall-cmd –zone=public –permanent –add-service=https

What If No Appropriate Service Is Available?

The firewall services that are included with the firewalld installation represent many of the most common requirements for applications that you may wish to allow access to. However, there will likely be scenarios where these services do not fit your requirements.

In this situation, you have two options.

Opening a Port for your Zones

The easiest way to add support for your specific application is to open up the ports that it uses in the appropriate zone(s). This is as easy as specifying the port or port range, and the associated protocol for the ports you need to open.

For instance, if our application runs on port 5000 and uses TCP, we could add this to the “public” zone for this session using the --add-port= parameter. Protocols can be either tcp or udp:

  • sudo firewall-cmd –zone=public –add-port=5000/tcp

We can verify that this was successful using the --list-ports operation:

  • firewall-cmd –list-ports
output
5000/tcp

It is also possible to specify a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses UDP ports 4990 to 4999, we could open these up on “public” by typing:

  • sudo firewall-cmd –zone=public –add-port=4990-4999/udp

After testing, we would likely want to add these to the permanent firewall. You can do that by typing:

  • sudo firewall-cmd –zone=public –permanent –add-port=5000/tcp
  • sudo firewall-cmd –zone=public –permanent –add-port=4990-4999/udp
  • sudo firewall-cmd –zone=public –permanent –list-ports
output
success
success
4990-4999/udp 5000/tcp

Defining a Service

Opening ports for your zones is easy, but it can be difficult to keep track of what each one is for. If you ever decommission a service on your server, you may have a hard time remembering which ports that have been opened are still required. To avoid this situation, it is possible to define a service.

Services are simply collections of ports with an associated name and description. Using services is easier to administer than ports, but requires a bit of upfront work. The easiest way to start is to copy an existing script (found in /usr/lib/firewalld/services) to the /etc/firewalld/services directory where the firewall looks for non-standard definitions.

For instance, we could copy the SSH service definition to use for our “example” service definition like this. The filename minus the .xml suffix will dictate the name of the service within the firewall services list:

  • sudo cp /usr/lib/firewalld/services/service.xml /etc/firewalld/services/example.xml

Now, you can adjust the definition found in the file you copied:

sudo nano /etc/firewalld/services/example.xml

To start, the file will contain the SSH definition that you copied:

/etc/firewalld/services/example.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>

The majority of this definition is actually metadata. You will want to change the short name for the service within the <short> tags. This is a human-readable name for your service. You should also add a description so that you have more information if you ever need to audit the service. The only configuration you need to make that actually affects the functionality of the service will likely be the port definition where you identify the port number and protocol you wish to open. This can be specified multiple times.

For our “example” service, imagine that we need to open up port 7777 for TCP and 8888 for UDP. We could modify the existing definition with something like this:

/etc/firewalld/services/example.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Example Service</short>
  <description>This is just an example service.  It probably shouldn't be used on a real system.</description>
  <port protocol="tcp" port="7777"/>
  <port protocol="udp" port="8888"/>
</service>

Save and close the file.

Reload your firewall to get access to your new service:

  • sudo firewall-cmd –reload

You can see that it is now among the list of available services:

  • firewall-cmd –get-services
output
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns example ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

You can now use this service in your zones as you normally would.

Creating Your Own Zones

While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.

For instance, you might want to create a zone for your web server, called “publicweb”. However, you might want to have another zone configured for the DNS service you provide on your private network. You might want a zone called “privateDNS” for that.

When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session. For instance, we could create the two zones we discussed above by typing:

  • sudo firewall-cmd –permanent –new-zone=publicweb
  • sudo firewall-cmd –permanent –new-zone=privateDNS

You can verify that these are present in your permanent configuration by typing:

  • sudo firewall-cmd –permanent –get-zones
output
block dmz drop external home internal privateDNS public publicweb trusted work

As stated before, these won’t be available in the current instance of the firewall yet:

  • firewall-cmd –get-zones
output
block dmz drop external home internal public trusted work

Reload the firewall to bring these new zones into the active configuration:

  • sudo firewall-cmd –reload
  • firewall-cmd –get-zones
output
block dmz drop external home internal privateDNS public publicweb trusted work

Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing. For instance, for the “publicweb” zone, you might want to add the SSH, HTTP, and HTTPS services:

  • sudo firewall-cmd –zone=publicweb –add-service=ssh
  • sudo firewall-cmd –zone=publicweb –add-service=http
  • sudo firewall-cmd –zone=publicweb –add-service=https
  • firewall-cmd –zone=publicweb –list-all
output
publicweb
  interfaces: 
  sources: 
  services: http https ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

Likewise, we can add the DNS service to our “privateDNS” zone:

  • sudo firewall-cmd –zone=privateDNS –add-service=dns
  • firewall-cmd –zone=privateDNS –list-all
output
privateDNS
  interfaces: 
  sources: 
  services: dns
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

We could then change our interfaces over to these new zones to test them out:

  • sudo firewall-cmd –zone=publicweb –change-interface=eth0
  • sudo firewall-cmd –zone=privateDNS –change-interface=eth1

At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add the same rules to the permanent configuration. You can do that by re-applying the rules with the --permanent flag:

  • sudo firewall-cmd –zone=publicweb –permanent –add-service=ssh
  • sudo firewall-cmd –zone=publicweb –permanent –add-service=http
  • sudo firewall-cmd –zone=publicweb –permanent –add-service=https
  • sudo firewall-cmd –zone=privateDNS –permanent –add-service=dns

You can then modify your network interfaces to automatically select the correct zones.

We can associate the eth0 interface with the “publicweb” zone:

  • sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0
[label /etc/sysconfig/network-scripts/ifcfg-eth0
. . .

IPV6_AUTOCONF=no
DNS1=2001:4860:4860::8844
DNS2=2001:4860:4860::8888
DNS3=8.8.8.8
ZONE=publicweb

And we can associate the eth1 interface with “privateDNS”:

  • sudo nano /etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/network-scripts/ifcfg-eth1
. . .

NETMASK=255.255.0.0
DEFROUTE='no'
NM_CONTROLLED='yes'
ZONE=privateDNS

Afterwards, you can restart your network and firewall services:

  • sudo systemctl restart network
  • sudo systemctl restart firewalld

Validate that the correct zones were assigned:

  • firewall-cmd –get-active-zones
output
privateDNS
  interfaces: eth1
publicweb
  interfaces: eth0

And validate that the appropriate services are available for both of the zones:

  • firewall-cmd –zone=publicweb –list-services
output
http htpps ssh
  • firewall-cmd –zone=privateDNS –list-services
output
dns

You have successfully set up your own zones. If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the --set-default-zone= parameter:

sudo firewall-cmd --set-default-zone=publicweb

Enable Your Firewall to Start at Boot

At the beginning of the guide, we started our firewalld service, but we did not enable it. If you are happy with your current configuration and have tested that it is functional when you restart the service, you can safely enable the service.

To configure your firewall to start at boot, type:

  • sudo systemctl enable firewalld

When the server restarts, your firewall should be brought up, your network interfaces should be put into the zones you configured (or fall back to the configured default zone), and the rules associated with the zone(s) will be applied to the associated interfaces.

Conclusion

You should now have a fairly good understanding of how to administer the firewalld service on your CentOS system for day-to-day use.

The firewalld service allows you to configure maintainable rules and rule-sets that take into consideration your network environment. It allows you to seamlessly transition between different firewall policies through the use of zones and gives administrators the ability to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of the flexibility and power that this tool provides.

Leave a Comment more...

SCAM WARNING digitrete.it bluegreensport.it serrenticalcio.it odadiaccetoragazzi.it integral-coaching-essen.de

by on May.15, 2016, under Computer Stuff

digitrete.it

bluegreensport.it

serrenticalcio.it

odadiaccetoragazzi.it

integral-coaching-essen.de

These are scam websites. They will send you some $10 Chinese shoes/boots, from China. Not the $200 – $500 shoes that you order.

All of these websites were created in the past couple of months and registered through a German registrar.

Leave a Comment more...

SCAM WARNING digitrete.it bluegreensport.it serrenticalcio.it odadiaccetoragazzi.it integral-coaching-essen.de

by on May.06, 2016, under Computer Stuff

digitrete.it

bluegreensport.it

serrenticalcio.it

odadiaccetoragazzi.it

integral-coaching-essen.de

These are scam websites. They will send you some $10 Chinese shoes/boots, from China. Not the $200 – $500 shoes that you order.

All of these websites were created in the past couple of months and registered through a German registrar.

Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...