logs archiveIRC Archive / Freenode / #centos / 2015 / August / 22 / 1
z1haze
i dont see what adding that source did though
because people can still conenct on the prts that i have open from any ip
doesnt that mean that it adds that as a source what can access on any port?
ks3
That command says "map source IP ipgoeshere/32 to the firewall zone public". As I mentioned, unless you've configured it otherwise, public is the default zone. So, your command mapped the IP to the public zone, which it would have been in anyway as that is the default.
If you map it to a zone other than public you should see a difference.
z1haze
can you help me out with that? quite confusing
ks3
To get a list of all zones, run 'firewall-cmd --list-all-zones'
To map it to a different zone, run the same command that you already used, but change "public" to a different zone name.
z1haze
ok seems there is: block, dmz, drop, external, home, internal, public (default), work
JHogarth
hmm second time i've linked this today ...
z1haze: have a read of https://www.hogarthuk.com/?q=node/9 .. see if that helps clarify things
z1haze
uh
this is a damn book
i have everything but the trusted zone it seems
c0dyhi11
tigalch: Zathrus: AndyCap: DiscordianUK: Thanks for your help guys. My issues are resolved. The issue ended up being that the VirtIO driver and the HyperVisor i'm running on are not happy together.
I switched to a n E1000 adapter and all the issues went away.
z1haze
weird.. so when i run --get-active-zones i only see trusted
but when i run --get-default-zone i see public
shouldnt public be an active zone?
         

c0dyhi11
I am redploying the appliance to remove all of the hacking and editing I did on it before I move forward. But if any one here ever tries to use Ravello to spin up a nested lab... Beware of the VirtIO NIC
ks3
Do you have your only interface mapped to the trusted zone?
z1haze
dont really know what that means
why would public zone not be in the active zones?
ks3
firewall-cmd --list-all-zones will show what source addresses and network interfaces are mapped to the different zones. You can map to zones by IP or interface.
z1haze
right i already replied with all the zones that were in there
public shows active in this list, but not when i do get-active-zones
Zathrus
rather surprised Ravello isn't using RHEL
c0dyhi11
Actifio is the one with the CentOS appliance.
z1haze
what i want to accomplish - allow full access to my server from 2 ip's but leave the default settings as they are for everyone else
how do i do that?
c0dyhi11
ravello built a thin hypervisor on top of AWS and Google's cloud so that you can nest ESXi and other things...
To build full labs.
It's a pretty cool product. But it's not without it's downfalls.
z1haze
is this not right? firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \
source address="1.2.3.4/32" \
port protocol="tcp" port="4567" accept"
ks3
I avoid rich rules wherever possible, but you can go that route. I also see that your --add-source command had --permanent, so that setting won't go in until the next time the service is restarted. If you run the command without --permanent, it will go in immediately.
Same thing with your --add-rich-rule command
z1haze
but then when it restarts it gets deleted
ive been down that road
ks3
Indeed.
z1haze
the most unintuitive design ive ever seen
JHogarth
good practice to get into the habit of doing it without --permanent and then when tested doing firewall-cmd --runtime-to-permanent
z1haze
oh cool
so that just takes all current rules and makes them perm?
JHogarth
it's the similar idea to most firewall devices - cisco asa for example ... do acces slist stuff and then do a wr mem to make the permanent
yes anything that was only added runtime would get persisted
funnily enough this is in the link I showed you ;)
z1haze
you suggested not to use rich-rule, how else can i achieve what i want?
theres a lot in that link you showed me..
JHogarth
create a new zone and associate those IPs with that zone ... add the port allow to just that zone
it's not a simple topic - get use dto reviewing longish documents if you want to do sysadmin work
z1haze
but see, in the default zone i dont have any ip's specified and it allows from everywhere, is that just standard for the default one?
         

JHogarth
think of the word default ... what does default tell you?
z1haze
um, out of the box
standard
JHogarth
I didn't write up the blog article for fun ... in the time you've spent questioning me you could have hit all the topics I've highlighted to you so far
z1haze
or perhaps, 'nonpayment'
JHogarth
(Action) has actual work to do ... and then bed
z1haze
take care, thank you
to add a new zone, i need to know what 'interface' right?
mmlj4
what kind of zone?
never mind, i see above
JHogarth
z1haze: from the doc I linked you... the section entitled "assigning a zone to an interface or source network" ... A zone can be associated with one or more interfaces or sources.
notice the word 'or'
z1haze
i know i saw it, but not really knowing what a interface is
JHogarth
network interface ... eg eth0 or em1 or p4p2 or whatever you have on your system
you can link a zone to a network interface ... and a zone can also (or instead of) be associated with a source network
z1haze
how can I check?
JHogarth
you may want to head to ##linux ... this is getting to pretty basic stuff if you don't know what a network interface is
DiscordianUK
+1
Digipeng
So I am building a slave(secondary) bind 9 dns server on centos 7 and I am wondering what I should put for reverse lookup in my /var/named/chroot/etc/named.conf?
can there be a slave reverse lookup for that zone?
TrevorH
a secondary server should take all its zones from the master
Digipeng
right.
set the setting to slave point to the master and copy the settings file from the master server?
when i ment settings i ment the ptr record
Dragotha
bind treats a reverse zone the same as a forward zone. it's just a database
DiscordianUK
I think there's #bind
Might be a better place to ask
TrevorH
it's just a zone
DiscordianUK
hup the dns server to make it reread
or do i mean sigusr1
TrevorH
if it's a slave server then the master ought to push the changes to it (or it should pull depending on config)
DiscordianUK
aye
TrevorH
and with use of keys and nsupdate there's no need to restart/reload anything
DiscordianUK
yep
gets complicated if Windows DNS is involved
Digipeng
I am asking in #bind
DiscordianUK
k
TrevorH
I have yet to find a way of getting windows dns to update a bind server using a key
DiscordianUK
windows dns is nasty and not standards compliant
TrevorH
s/dns//
DiscordianUK
agreed
kaos01
no need for signals is thats what rndc for :)
DiscordianUK
Now I have my new NUC I can run vms of other osen
Digipeng
spell check discordianUK?
DiscordianUK
For what
nuc=next unit of computing
Digipeng
other osen?
« prev 1 2 3 4 5 next »