[BlueOnyx:26418] Re: Manual install notes for 5211R AlmaLinux 9

Michael Stauber mstauber at blueonyx.it
Fri Aug 25 18:30:57 -05 2023 

Hi Herb,

> Thanks for everyone's hard work on BlueOnyx!

Thank you for using BlueOnyx! :o)

> I just installed 5211R AlmaLinux using the manual mode and ran into an 
> issue.
> 
> I had the /home directory mounted as ext4 in my /etc/fstab file. All normal.
> 
> The installation tried to add "gquota" and "uquota" to the fstab file 
> but that didn't work since its "grpquota" and "usrquota".

Oh yeah. I should have mentioned that in the install docs: The 
filesystem of choice is now XFS (the default of EL8 and EL9!) and our 
entire tool-chain for disk quota builds on this. That's why it was 
trying to use "gquota" and "uquota" (the XFS variants of those tools) 
instead of "grpquota" and "usrquota", which was how these were named for 
EXT3 and EXT4.

> Of course upon reboot it didn't mount and all hell broke lose requiring 
> alot of hand fixes to complete the process.

Yeah, I can imagine. Sorry about that!

> So I think I found a bug??

An oversight. The documentation should have made it clear that it ought 
to be XFS now. I'll fix it and I thank you for pointing it out!

> When I was finished with the install issues I noticed firewalld was not 
> started.

Correct. We configure it (to open the ports relevant to BlueOnyx), but 
don't start it automatically. But just start it and enable it and you 
should be good.

> I need to limit ssh access.
> I was an old hosts.deny fan. Back in when CentOS 7 was current.

Yeah, sadly the RedHat overlords decided to do away with TCPWrapper 
support and with that hosts.allow and hosts.deny got dropped from the OS 
and there is no sensible way to get them back.

> Can these commands be used without a problem with BlueOnyx?
> 
> firewall-cmd --get-default-zone
> 
> firewall-cmd --permanent --remove-service=ssh
> 
> firewall-cmd --permanent --new-zone=sshzone
> 
> firewall-cmd --permanent --zone=sshzone --add-source=111.264.132.201/32
> 
> firewall-cmd --permanent --zone=sshzone --add-source=63.61.153.48/29 
> <http://63.61.153.48/29>
> 
> firewall-cmd --permanent --zone=sshzone --add-source=211.228.142.32/28 
> <http://211.228.142.32/28>
> 
> firewall-cmd --permanent --zone=sshzone --add-service=ssh
> 
> firewall-cmd --reload
> 
> firewall-cmd --list-all-zones
> 
> 
> I was going to make a script to manage the ip list (add, remove, list, 
> init zone)

In principle you can use all the commands that Firewalld offers you and 
there is nothing in a stock BlueOnyx that messes with this. Aside from 
once opening the BlueOnyx ports we don't touch Firewalld past the 
initial setup.

Or you can get "APF" from the BlueOnyx shop:

https://shop.blueonyx.it/apf.html

On 5210R and 5211R this grants you access to two PKGs:

- APF (Advanced Package Firewall)
- Firewalld

Ignore APF and install the "Firewalld" Package. It gives you a nice GUI 
to manage all sensible aspects of Firewalld on your BlueOnyx directly 
from the GUI. It also integrates GeoIP zone blocks, so you can block 
whole countries from accessing your server. It uses IPsets for this, so 
even large zone blocks don't have much of an impact on the time it needs 
to restart the firewall. It's then not loading thousands of IP address 
ranges, but whole "precompiled" sets in one go. Which is pretty neat.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list