AlmaLinux9 - hpaluch/hpaluch.github.io GitHub Wiki

Tips on AlmaLinux 9

Here are my tips on AlmaLinux 9.

Favorite packages

Here is list of packages I install:

# dnf install bash-completion vim-enhanced curl wget tmux lsof bind-utils net-tools man-pages

Rename net interface back to eth0

In AlmaLinux8 it was enough to edit /etc/default/grub and append net.ifnames=0 to variable GRUB_CMDLINE_LINUX and regenerate grub2-mkconfig -o /boot/grub2/grub.cfg.

But now there is grubby wrapper (or sdgrubby wrapper for UEFI machines) - I simply appended net.ifnames=0 to all files /boot/loader/entries/*.conf on line options ...

After reboot there is little cosmetic problem - new eth0 connection is called Wired connection 1 as shown below:

# nmcli c

NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  64fc151c-e7a9-339c-b5b6-8e1557c15989  ethernet  eth0   
lo                  3b231043-38cc-46d2-9d73-ef8fa3f2551d  loopback  lo     
enp1s0              989c6717-f865-3198-9f80-0e71d8ec0374  ethernet  --

First rename ID Wired connection 1 to eth0 using:

# nmcli c modify "Wired connection 1" connection.id eth0
# nmcli c

NAME    UUID                                  TYPE      DEVICE 
eth0    64fc151c-e7a9-339c-b5b6-8e1557c15989  ethernet  eth0   
lo      3b231043-38cc-46d2-9d73-ef8fa3f2551d  loopback  lo     
enp1s0  989c6717-f865-3198-9f80-0e71d8ec0374  ethernet  --

Note

Notice that "ID" is actually called "NAME" on nmcli c output...

Finally we can delete now obsolete enp1s0 connection:

# nmcli c del enp1s0
# nmcli c
NAME  UUID                                  TYPE      DEVICE 
eth0  64fc151c-e7a9-339c-b5b6-8e1557c15989  ethernet  eth0   
lo    3b231043-38cc-46d2-9d73-ef8fa3f2551d  loopback  lo

I also like to see current IP address on console modifying /etc/issue with:

# echo -e "IP: \4{eth0}\n" >> /etc/issue

Enabling EPEL

EPEL is repository that contains many packages from Fedora ported to RHEL (and clones). We can enable it following: https://wiki.almalinux.org/repos/Extras

dnf install epel-release

Example of package "wordpress" that is only in EPEL (but not in stock RHEL distribution):

$ dnf repoquery --location wordpress

https://ftp.sh.cvut.cz/fedora/epel/9/Everything/x86_64/Packages/w/wordpress-6.7.1-1.el9.noarch.rpm

Notice epel in package URL.

Firewalld

Firewalld is service wrapper on top of Linux firewall (in the past on iptables now on nftables). Firewalld settings should be modified with command firewall-cmd

Tested following version:

$ rpm -q firewalld

firewalld-1.3.4-7.el9.noarch

You can find which firewall is used by grepping:

# grep '^FirewallBackend=' /etc/firewalld/firewalld.conf
FirewallBackend=nftables

In case of nftables you can check real rules using:

nft list ruleset

Now ensure that firewalld is enabled using:

# firewall-cmd --state

running

Now we need to find to what Zone is assigned to which Interface:

# firewall-cmd --get-active-zones

public
  interfaces: eth0

Note: Zone can be assigned to interface (e.g., eth0) or source (e.g., IPv4 address ragne 192.168.0.1/32). Above example of public zone has assigned interface only.

And now dump details on our public zone:

# firewall-cmd --info-zone=public

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Default public zone definition is stored in /usr/lib/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <forward/>
</zone>

Why was public zone assigned to our new eth0 interface? Because it is default:

# firewall-cmd --get-default-zone

public

You can find Firewalld service definitions under /usr/lib/firewalld/services/, for example /usr/lib/firewalld/services/cockpit.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Cockpit</short>
  <description>Cockpit lets you access and configure your server remotely.</description>
  <port protocol="tcp" port="9090"/>
</service>

NOTE: defaults are generally stored under /usr/lib/firewalld/, but current configuration is stored under /etc/firebird/.

Firewalld: changing rules

Runtime vs. permanent:

  1. any command without --permanent will be applied immediately (=Runtime) but lost after firewall reload or restart (!)
  2. any command with --permanent will store changes, but they will be not applied (=Runtime) until reload or restart

There are 2 ways how apply changes both Runtime and Permanent:

  1. Add --permanent to your command and then run firewall-cmd --reload
  2. When you finish changing runtime rules run firewall-cmdi --runtime-to-permanent

Example: remove cockipt (management Web UI access) from public zone both Runtime and permanently:

# Runtime change (applied immediatelly but lost on reload/restart):
firewall-cmd --zone=public --remove-service=cockpit
# apply all runtime changes permanently:
firewall-cmd --runtime-to-permanent

Now verify that cockpit is no longer here:

# firewall-cmd --info-zone=public

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Firewalld: logging

Fist I enable unicast logging (unicast means deny messages for single IP address targets:

firewall-cmd --set-log-denied=unicast

Note: there is no --permanent option in above command - it is always applied immediately.

Logs are visible with dmesg or this systemd command:

SYSTEMD_COLORS=false journalctl -k -p 4 -g 'filter_.* MAC=' --no-pager

Where -k prints kernel-only messages, -p 4 is priority filter, -g is "regex grep". Variable SYSTEMD_COLORS=false removes color highlight, and --no-pager will stop shortening lines (and paging).

Systemd is so annoying that I rather created script for that called /usr/local/sbin/dump-firewall.sh

#!/bin/bash
set -euo pipefail
sudo SYSTEMD_COLORS=false journalctl -k -p 4 -g 'filter_.* MAC=' --no-pager
exit 0

Firewalld: limit ssh access by IP address

By default Firewalld allows SSH access from any IP address, which is too dangerous today...

We will follow modified example from: https://serverfault.com/a/684739

TODO: ...

Firewalld: limit output access

Normally any output connection is enabled which is not safe. We can find example how to limit it on: https://access.redhat.com/solutions/7013886

TODO: ...

Copyright © Henryk Paluch. All rights reserved.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

⚠️ **GitHub.com Fallback** ⚠️