[BlueOnyx:26419] Re: Manual install notes for 5211R AlmaLinux 9

Herbert Rubin herbr at pfinders.com
Fri Aug 25 21:38:43 -05 2023 

Michael,

Thanks for the quick response.

One more thing.

When I tail the log /var/log/messages I see this every 15 seconds:

Aug 25 19:34:19 d06 sauce_serviced[982]: Daemon.pm: /usr/bin/systemctl
restart ipchains.service: Transaction failed with exit code 1280

Aug 25 19:34:34 d06 sauce_serviced[982]: Daemon.pm: /usr/bin/systemctl
restart ipchains.service: Transaction failed with exit code 1280

Aug 25 19:34:49 d06 sauce_serviced[982]: Daemon.pm: /usr/bin/systemctl
restart ipchains.service: Transaction failed with exit code 1280


How do I get it to stop?


Herb

5211R AlmaLinux 9

On Fri, Aug 25, 2023 at 4:55 PM Michael Stauber via Blueonyx <
blueonyx at mail.blueonyx.it> wrote:

> Hi Herb,
>
> > Thanks for everyone's hard work on BlueOnyx!
>
> Thank you for using BlueOnyx! :o)
>
> > I just installed 5211R AlmaLinux using the manual mode and ran into an
> > issue.
> >
> > I had the /home directory mounted as ext4 in my /etc/fstab file. All
> normal.
> >
> > The installation tried to add "gquota" and "uquota" to the fstab file
> > but that didn't work since its "grpquota" and "usrquota".
>
> Oh yeah. I should have mentioned that in the install docs: The
> filesystem of choice is now XFS (the default of EL8 and EL9!) and our
> entire tool-chain for disk quota builds on this. That's why it was
> trying to use "gquota" and "uquota" (the XFS variants of those tools)
> instead of "grpquota" and "usrquota", which was how these were named for
> EXT3 and EXT4.
>
> > Of course upon reboot it didn't mount and all hell broke lose requiring
> > alot of hand fixes to complete the process.
>
> Yeah, I can imagine. Sorry about that!
>
> > So I think I found a bug??
>
> An oversight. The documentation should have made it clear that it ought
> to be XFS now. I'll fix it and I thank you for pointing it out!
>
> > When I was finished with the install issues I noticed firewalld was not
> > started.
>
> Correct. We configure it (to open the ports relevant to BlueOnyx), but
> don't start it automatically. But just start it and enable it and you
> should be good.
>
> > I need to limit ssh access.
> > I was an old hosts.deny fan. Back in when CentOS 7 was current.
>
> Yeah, sadly the RedHat overlords decided to do away with TCPWrapper
> support and with that hosts.allow and hosts.deny got dropped from the OS
> and there is no sensible way to get them back.
>
> > Can these commands be used without a problem with BlueOnyx?
> >
> > firewall-cmd --get-default-zone
> >
> > firewall-cmd --permanent --remove-service=ssh
> >
> > firewall-cmd --permanent --new-zone=sshzone
> >
> > firewall-cmd --permanent --zone=sshzone --add-source=111.264.132.201/32
> >
> > firewall-cmd --permanent --zone=sshzone --add-source=63.61.153.48/29
> > <http://63.61.153.48/29>
> >
> > firewall-cmd --permanent --zone=sshzone --add-source=211.228.142.32/28
> > <http://211.228.142.32/28>
> >
> > firewall-cmd --permanent --zone=sshzone --add-service=ssh
> >
> > firewall-cmd --reload
> >
> > firewall-cmd --list-all-zones
> >
> >
> > I was going to make a script to manage the ip list (add, remove, list,
> > init zone)
>
> In principle you can use all the commands that Firewalld offers you and
> there is nothing in a stock BlueOnyx that messes with this. Aside from
> once opening the BlueOnyx ports we don't touch Firewalld past the
> initial setup.
>
> Or you can get "APF" from the BlueOnyx shop:
>
> https://shop.blueonyx.it/apf.html
>
> On 5210R and 5211R this grants you access to two PKGs:
>
> - APF (Advanced Package Firewall)
> - Firewalld
>
> Ignore APF and install the "Firewalld" Package. It gives you a nice GUI
> to manage all sensible aspects of Firewalld on your BlueOnyx directly
> from the GUI. It also integrates GeoIP zone blocks, so you can block
> whole countries from accessing your server. It uses IPsets for this, so
> even large zone blocks don't have much of an impact on the time it needs
> to restart the firewall. It's then not loading thousands of IP address
> ranges, but whole "precompiled" sets in one go. Which is pretty neat.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230825/aa321486/attachment.html>

More information about the Blueonyx mailing list