logs archiveIRC Archive / Freenode / #centos / 2015 / July / 30 / 1
raub
Evolution: ok, mounting encrypted fileshare into /var/lib/mysql. This way, if someone does not do the proper stuff, they can enjoy a brand new database
Digipeng
I want to configure something on entos 7 firewalld egress, but I don't see instructions for that.
centos*
I searched google and 3 man pages, and got no where.
bind dns port in is 53 but it uses a random port on the output and I want to configure it to open for bind when its sending and close for everything else.
output wise
xand
Digipeng: iptables let you specify the user when creating OUTPUT rules. no idea how that translates to firewalld.
(also the destination port)
but you could let only the named user do things
I really do wonder why RedHat thought they needed to develop firewalld
Digipeng
thanks @xand ill see if anyone else has ideas, before I play with iptables.
TrevorH
inbound dns queries should be allowed by a related,established entry
that is, responses to ...
B_rake
Digipeng: are you wanting to allow traffic to pass only through 53 for src and dst? I believe the src (client) is going to be on an ephemeral port
so you wouldn't want to reject all except from src 53 to dst 53 unless you can ensure that the client side will only be initiating from 53 which isn't standard
TrevorH
queries to external nameservers will be directed to dport 53 and responses should be allowed by related,established
queries to a nameserver running on your box will come in with dport 53 and responses from it should be allowed by the related,established entry in your outbound rules
Digipeng
http://pastebin.centos.org/31511/ is what I was reading and what I'm trying to do.
sorry for the big quote. I didn't see any other way to condense it.
Thanks all.
so outbound is context based trevorh?
TrevorH
yes, you used to be able to fix *outbound* queries so that they came from udp port 53 but it's not recommended any more
but if you're looking at outbound queries then they will be destined for --dport 53 so you can just allow that in your outbound rules
         

Digipeng
does firewalld offer outbound rules? or when you say allow dns it allows dns outbound?
allow dns for the zone in firewalld that is
TrevorH
if it doesn't offer outbound rules then how were you hoping to control egress?
I see mention of outbound in iptables-save | grep -i output
Digipeng
tables yay
Thank you @TrevorH
cdrakka
I have a KVM server setup use SR-IOV for the network interfaces. The virtual interfaces show up on the system as well as in virt-manager. However, when I go to create a VM and select one of those network interfaces, the connection doesn't seem to work (the VM receieves no IP from DHCP.) Is there some additional step I'm missing here?
kexmex
hey guys, if someone could help me get Cron working again, i'd really appreciate it
CROND[11493]: (root) CMD (run-parts /etc/cron.hourly)
i see this
but none of the scripts in that folder actually run
cdrakka
kexmex: Are they set executable?
kexmex
yea
-rwx------.
0anacron doesnt even run
when i run run-parts /etc/cron.hourly as root it runs fine and logs to /var/log/cron
sartan
cron won't log anything if the commands run without stderr
your stuff could actually be working
kexmex
it logs when i run run-parts manually
it lists the scripts that it runs
no its not working for sure
run-parts(/etc/cron.hourly/)[11917]: starting 0anacron
sartan
oh, okay, might be something different then
kexmex
run-parts(/etc/cron.hourly/)[11926]: finished 0anacron
sartan
is the cron service running at least?
kexmex
when i run them manually
well
sartan
are you on centos 7?
kexmex
Active: active (running) since Mon 2015-07-20 17:18:07 UTC; 1 weeks 2 days ago
crond
yea 7

i am pretty annoyed, it just stopped working once i did service crond reload
this is from /var/log/messages
crond: log_it: (root 12092) CMD (run-parts /etc/cron.hourly)
and nothing runs
pj
try restart instead of reload
Bahhumbug
It's possible it's selinux as well.
pj
yep
kexmex
tried restart also
and selinux is off
# getenforce Permissive
would restarting the box help? :)
Bahhumbug
Of course it is...
         

pj
if it stopped when you did a reload, though, I would suspect that the reload botched it. reload generally sends a signal to the running daemon to tell it to reload its config, whereas restart generalyl kills the daemon and starts a new one.
kexmex
Bahhumbug: if it was a bit more user friendly then i'd mess with it-- but my own apps need rules
pj: did restart also tho
pj
(Action) nods
Bahhumbug
Yeah, sorry, I don't buy that any longer. This isn't 2005 any more. There is nothing difficult about selinux. Spend an _hour_ reading up on it and you'll likely be able to add any rules you need.
@selinux
centbot
Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/selinux-policy-guide
kexmex
what's this? crond[12129]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Bahhumbug
Just a warning.
kexmex
Bahhumbug: i spent more than an hour to get my webserver up and running
Bahhumbug
Or information alert, actually.
kexmex
i gave it an honest try :)
why it's so difficult i dont understand really
Bahhumbug
It's really not :)
kexmex
the symbols of things.. instead of giving stuff userfriendly names etc
pj
if it's set to permissive and still not working then the problem isn't selinux, though.
Bahhumbug
Check /var/log/messages for anything of interest.
kexmex
i do see some lame stuff in messags
Bahhumbug
Check dmesg for anything of interest.
kexmex
sec
pj
add in a cron job that simply appends a datestamp to a temporary file, I would so something like this in /etc/crontab: * * * * * root echo "$(date)" >> /tmp/crontest
see if that fires off every minute.
actually, just date >> /tmp/crontest
kexmex
pj
(Action) kicks himself for the needless echo crap
kexmex
at :04 it was scheduled to run
and then later on i restarted crond
that's all i see there
what about mail, can i check that? i dont have a mail client but i see it writes something to mail log
maybe it has an error in there?
pj
what did it write to maillog?
(pastebin)
kexmex
i dunno how ot check :)
« prev 1 2 3 4 5 6 7 next »