Re: [arch-general] USB flash installation medium in BIOS machines
On 03.11.2020 15:15, u...@net9.ga wrote: I have 2 options for that during POST. Press F2 or Del to go into BIOS configuration and see and reorder the boot devices. This list is a classical BIOS boot device list. The other option is press F12 and Don't F2, or Del show more complex screens, other than just reorder boot devices? Yes of course. I just didn't want to describe my whole BIOS settings menu, because I thought your question was aimed the boot device selection. There is some unrelated stuff, but like with most consumer laptops it is very rudimentary and narrow, like disable USB or disable Camera or disable Micorphone or ASF configuration... Perhaps the problem is that itthe dirmware is looking for an ESP, which can not be found? Shouldn't the ESP be on the Live medium? I never had one on my hard drive, which is a plain MBR partitioned one with no fancy firmware loading stuff... plain old BIOS GRUB setup. Always been. I came to the conclusion, that my hardware is faulty. Somehow it is capable to start the systemd-boot loader but not the actual UEFI image. And all while not mentioning any EFI capabilities in BIOS settings. Well, if it boots systemd-boot, have you tried to configure systemd-boot? Are you aware to the fact that there used to be 32 bits variant of the efi firmware? What do you mean by configure? It is the unchanged archlinux-2020.11.01-x86_64.iso I dd'ed on a stick. Just out of curiosit, does anyone know a way to "ask" the hardware about EFI capabilities, without actually booting through EFI? I think that if you can start the installation, you might query hardware capabilities. I am referring to https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface#Checking_the_firmware_bitness . I am aware of /sys/firmware/efi, but it only shows up when you actually boot through the EFI, which, as stated, I was never able to. I worked around the problem, so I am good for now. If someone is interested in investigating the problem with that dated hardware I am more than willing to do whatever you need for that. Just mail directly, no need to spam the list any further.
Re: [arch-general] Fail2Ban is not adding iptables rules
Maykel Franco via arch-general wrote: > El mar., 3 nov. 2020 a las 15:21, escribi??: > > > > Maykel Franco via arch-general wrote: > > > > > El mar., 3 nov. 2020 a las 10:45, escribi??: > > > > > > > > Maykel Franco via arch-general wrote: > > > > > > > > > El mar., 3 nov. 2020 a las 9:48, escribi??: > > > > > > > > > > > > Maykel Franco via arch-general wrote: > > > > > > > > > > > > > Hi, I have this script for iptables for my archlinux desktop: > > > > > > > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > > > > > > > And when received external request access SSH error, fail2ban add > > > > > > > rule > > > > > > > but the rule not working. > > > > > > > > > > > > > > I think it has to do with the iptables script, but the fail2ban > > > > > > > blocking rules add fine but don't ban. That could be happening? > > > > > > > > > > > > It could be that the banning fail2ban rule doesn't ban. > > > > > > 1. Can you show the iptables state before, and after, fail2ban added > > > > > >its rule? That is, issue an iptables -s command? I do hope I got > > > > > >the iptables command right. > > > > > > 2. Can you show fail2ban configuration? > > > > > > > > > > > > -- > > > > > > u34 > > > > > > > > > > The problem is not fail2ban. The problem is the script iptables rules > > > > > because after exec script iptables: > > > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > > > I try drop ip: > > > > > > > > > > iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP > > > > > > > > > > Not block ip 192.168.0.33 on port 22. > > > > > > > > Possibly because that line is added as the last lines of the iptables. > > > > The accept lines of the script already accepted the 192.168.0.33 > > > > connection. You > > > > probably want to issue an Insert, or a Replace, command. -I or -R, if I > > > > remmeber > > > > correcly. > > > > What is the output of iptables -s, if I remember correctly, > > > > after you issued > > > > the 192.168.0.33 related command? > > > > > > > > As an aside, I think you should revert to nft (nftables). > > > > > > > > -- > > > > u34 > > > > > > Thanks for your response. With -I works well with: > > > > > > iptables -I INPUT -p tcp -s 192.168.0.33 --dport -j DROP > > > > > > And now, for iptables works well, How it solved? I need iptables add > > > rules on first place. > > > > I didn't follow. iptables doesn't add rules by itself. Someone, or > > something, > > tells it what rules it should use. Whom do want to tell iptables to add > > rules on first place? > > > > -- > > u34 > > Maybe I have explained myself wrong. With that script that I have put > from iptables, I can add rules first with the -I parameter and it > works. Thanks for the help of colleagues. > > Now what I want is that iptables when I block some IP, it also ping it > first to make it work. I didn't understand. Are you looking for: if (ping anIp succeeded) iptables -I anIp drop ? If that is what you want, why would you care if ping succeeded, or not? Just drop anIp. -- u34
Re: [arch-general] Fail2Ban is not adding iptables rules
El mar., 3 nov. 2020 a las 15:21, escribió: > > Maykel Franco via arch-general wrote: > > > El mar., 3 nov. 2020 a las 10:45, escribi??: > > > > > > Maykel Franco via arch-general wrote: > > > > > > > El mar., 3 nov. 2020 a las 9:48, escribi??: > > > > > > > > > > Maykel Franco via arch-general wrote: > > > > > > > > > > > Hi, I have this script for iptables for my archlinux desktop: > > > > > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > > > > > And when received external request access SSH error, fail2ban add > > > > > > rule > > > > > > but the rule not working. > > > > > > > > > > > > I think it has to do with the iptables script, but the fail2ban > > > > > > blocking rules add fine but don't ban. That could be happening? > > > > > > > > > > It could be that the banning fail2ban rule doesn't ban. > > > > > 1. Can you show the iptables state before, and after, fail2ban added > > > > >its rule? That is, issue an iptables -s command? I do hope I got > > > > >the iptables command right. > > > > > 2. Can you show fail2ban configuration? > > > > > > > > > > -- > > > > > u34 > > > > > > > > The problem is not fail2ban. The problem is the script iptables rules > > > > because after exec script iptables: > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > I try drop ip: > > > > > > > > iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP > > > > > > > > Not block ip 192.168.0.33 on port 22. > > > > > > Possibly because that line is added as the last lines of the iptables. > > > The accept lines of the script already accepted the 192.168.0.33 > > > connection. You > > > probably want to issue an Insert, or a Replace, command. -I or -R, if I > > > remmeber > > > correcly. > > > What is the output of iptables -s, if I remember correctly, > > > after you issued > > > the 192.168.0.33 related command? > > > > > > As an aside, I think you should revert to nft (nftables). > > > > > > -- > > > u34 > > > > Thanks for your response. With -I works well with: > > > > iptables -I INPUT -p tcp -s 192.168.0.33 --dport -j DROP > > > > And now, for iptables works well, How it solved? I need iptables add > > rules on first place. > > I didn't follow. iptables doesn't add rules by itself. Someone, or something, > tells it what rules it should use. Whom do want to tell iptables to add > rules on first place? > > -- > u34 Maybe I have explained myself wrong. With that script that I have put from iptables, I can add rules first with the -I parameter and it works. Thanks for the help of colleagues. Now what I want is that iptables when I block some IP, it also ping it first to make it work.
Re: [arch-general] Fail2Ban is not adding iptables rules
Maykel Franco via arch-general wrote: > El mar., 3 nov. 2020 a las 10:45, escribi??: > > > > Maykel Franco via arch-general wrote: > > > > > El mar., 3 nov. 2020 a las 9:48, escribi??: > > > > > > > > Maykel Franco via arch-general wrote: > > > > > > > > > Hi, I have this script for iptables for my archlinux desktop: > > > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > > > And when received external request access SSH error, fail2ban add rule > > > > > but the rule not working. > > > > > > > > > > I think it has to do with the iptables script, but the fail2ban > > > > > blocking rules add fine but don't ban. That could be happening? > > > > > > > > It could be that the banning fail2ban rule doesn't ban. > > > > 1. Can you show the iptables state before, and after, fail2ban added > > > >its rule? That is, issue an iptables -s command? I do hope I got > > > >the iptables command right. > > > > 2. Can you show fail2ban configuration? > > > > > > > > -- > > > > u34 > > > > > > The problem is not fail2ban. The problem is the script iptables rules > > > because after exec script iptables: > > > > > > https://pastebin.com/SafhsKFt > > > > > > I try drop ip: > > > > > > iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP > > > > > > Not block ip 192.168.0.33 on port 22. > > > > Possibly because that line is added as the last lines of the iptables. > > The accept lines of the script already accepted the 192.168.0.33 > > connection. You > > probably want to issue an Insert, or a Replace, command. -I or -R, if I > > remmeber > > correcly. > > What is the output of iptables -s, if I remember correctly, > > after you issued > > the 192.168.0.33 related command? > > > > As an aside, I think you should revert to nft (nftables). > > > > -- > > u34 > > Thanks for your response. With -I works well with: > > iptables -I INPUT -p tcp -s 192.168.0.33 --dport -j DROP > > And now, for iptables works well, How it solved? I need iptables add > rules on first place. I didn't follow. iptables doesn't add rules by itself. Someone, or something, tells it what rules it should use. Whom do want to tell iptables to add rules on first place? -- u34
Re: [arch-general] USB flash installation medium in BIOS machines
Juergen Werner via arch-general wrote: > On 03/11/2020 10.23, u...@net9.ga wrote:> Have you entered the firmware > configuration, or the bios configuration, > > whatever that is, to see its options? > > I have 2 options for that during POST. Press F2 or Del to go into BIOS > configuration and see and reorder the boot devices. This list is a > classical BIOS boot device list. The other option is press F12 and Don't F2, or Del show more complex screens, other than just reorder boot devices? > select a boot device, without the need to permanently reorder stuff. > This is very plain and leaves not much room for interpretation and I > tried both. > > Since there is no (known) option to force the boot mode of the flash > drive, I went with ??scars suggestion and created a BIOS-GRUB flash drive > to load the ISO as loop device, which went really smooth. I used that > method before, when I originally installed Arch on it, but just for the > reason that I could have multiple ISOs on a stick without reflashing all > the time. That is probably the reason, why I never ran into this problem > with the Arch ISO. > Perhaps the problem is that itthe dirmware is looking for an ESP, which can not be found? > I came to the conclusion, that my hardware is faulty. Somehow it is > capable to start the systemd-boot loader but not the actual UEFI image. > And all while not mentioning any EFI capabilities in BIOS settings. Well, if it boots systemd-boot, have you tried to configure systemd-boot? Are you aware to the fact that there used to be 32 bits variant of the efi firmware? > > Just out of curiosit, does anyone know a way to "ask" the hardware about > EFI capabilities, without actually booting through EFI? I think that if you can start the installation, you might query hardware capabilities. I am referring to https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface#Checking_the_firmware_bitness . -- u34
Re: [arch-general] USB flash installation medium in BIOS machines
On 03/11/2020 10.23, u...@net9.ga wrote:> Have you entered the firmware configuration, or the bios configuration, whatever that is, to see its options? I have 2 options for that during POST. Press F2 or Del to go into BIOS configuration and see and reorder the boot devices. This list is a classical BIOS boot device list. The other option is press F12 and select a boot device, without the need to permanently reorder stuff. This is very plain and leaves not much room for interpretation and I tried both. Since there is no (known) option to force the boot mode of the flash drive, I went with Óscars suggestion and created a BIOS-GRUB flash drive to load the ISO as loop device, which went really smooth. I used that method before, when I originally installed Arch on it, but just for the reason that I could have multiple ISOs on a stick without reflashing all the time. That is probably the reason, why I never ran into this problem with the Arch ISO. I came to the conclusion, that my hardware is faulty. Somehow it is capable to start the systemd-boot loader but not the actual UEFI image. And all while not mentioning any EFI capabilities in BIOS settings. Just out of curiosit, does anyone know a way to "ask" the hardware about EFI capabilities, without actually booting through EFI?
Re: [arch-general] Arch Linux Support for Station P1, Station M1?
03.11.2020 14:51, Morne Ross via arch-general пишет: Hi Firefly is looking for some developers to add Linux OS support for their devices and can give some free samples. They have the Station P1 RK3399 and Station M1 RK3328 and plan to also release a RK3568 device in a couple of weeks. http://stationpc.com/portal.php?mod=topic=2 http://stationpc.com/portal.php?mod=topic=7 as i understand. this computers works on ARM architecture. so that topic would be appropriate for arch linux arm folks. archlinux only supports amd64 architecture. Will it be possible for someone to build Arch Linux for it perhaps? The source code is also available for the devices and they already have Linux booting with 5.9 kernels. For further cooperation or help you can contact T-Chip, manufacturer of the Firefly devices. s...@t-chip.com.cn You can send me the contact and shipping details then I can forward it to them for where the samples can be shipped too. If more than one person needs samples than I can also ask them. Regards Morne -- Sincerely, Alexander.
[arch-general] Arch Linux Support for Station P1, Station M1?
Hi Firefly is looking for some developers to add Linux OS support for their devices and can give some free samples. They have the Station P1 RK3399 and Station M1 RK3328 and plan to also release a RK3568 device in a couple of weeks. http://stationpc.com/portal.php?mod=topic=2 http://stationpc.com/portal.php?mod=topic=7 Will it be possible for someone to build Arch Linux for it perhaps? The source code is also available for the devices and they already have Linux booting with 5.9 kernels. For further cooperation or help you can contact T-Chip, manufacturer of the Firefly devices. s...@t-chip.com.cn You can send me the contact and shipping details then I can forward it to them for where the samples can be shipped too. If more than one person needs samples than I can also ask them. Regards Morne
Re: [arch-general] Fail2Ban is not adding iptables rules
El mar., 3 nov. 2020 a las 10:45, escribió: > > Maykel Franco via arch-general wrote: > > > El mar., 3 nov. 2020 a las 9:48, escribi??: > > > > > > Maykel Franco via arch-general wrote: > > > > > > > Hi, I have this script for iptables for my archlinux desktop: > > > > > > > > https://pastebin.com/SafhsKFt > > > > > > > > And when received external request access SSH error, fail2ban add rule > > > > but the rule not working. > > > > > > > > I think it has to do with the iptables script, but the fail2ban > > > > blocking rules add fine but don't ban. That could be happening? > > > > > > It could be that the banning fail2ban rule doesn't ban. > > > 1. Can you show the iptables state before, and after, fail2ban added > > >its rule? That is, issue an iptables -s command? I do hope I got > > >the iptables command right. > > > 2. Can you show fail2ban configuration? > > > > > > -- > > > u34 > > > > The problem is not fail2ban. The problem is the script iptables rules > > because after exec script iptables: > > > > https://pastebin.com/SafhsKFt > > > > I try drop ip: > > > > iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP > > > > Not block ip 192.168.0.33 on port 22. > > Possibly because that line is added as the last lines of the iptables. > The accept lines of the script already accepted the 192.168.0.33 connection. > You > probably want to issue an Insert, or a Replace, command. -I or -R, if I > remmeber > correcly. > What is the output of iptables -s, if I remember correctly, > after you issued > the 192.168.0.33 related command? > > As an aside, I think you should revert to nft (nftables). > > -- > u34 Thanks for your response. With -I works well with: iptables -I INPUT -p tcp -s 192.168.0.33 --dport -j DROP And now, for iptables works well, How it solved? I need iptables add rules on first place.
Re: [arch-general] Fail2Ban is not adding iptables rules
Maykel Franco via arch-general wrote: > El mar., 3 nov. 2020 a las 9:48, escribi??: > > > > Maykel Franco via arch-general wrote: > > > > > Hi, I have this script for iptables for my archlinux desktop: > > > > > > https://pastebin.com/SafhsKFt > > > > > > And when received external request access SSH error, fail2ban add rule > > > but the rule not working. > > > > > > I think it has to do with the iptables script, but the fail2ban > > > blocking rules add fine but don't ban. That could be happening? > > > > It could be that the banning fail2ban rule doesn't ban. > > 1. Can you show the iptables state before, and after, fail2ban added > >its rule? That is, issue an iptables -s command? I do hope I got > >the iptables command right. > > 2. Can you show fail2ban configuration? > > > > -- > > u34 > > The problem is not fail2ban. The problem is the script iptables rules > because after exec script iptables: > > https://pastebin.com/SafhsKFt > > I try drop ip: > > iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP > > Not block ip 192.168.0.33 on port 22. Possibly because that line is added as the last lines of the iptables. The accept lines of the script already accepted the 192.168.0.33 connection. You probably want to issue an Insert, or a Replace, command. -I or -R, if I remmeber correcly. What is the output of iptables -s, if I remember correctly, after you issued the 192.168.0.33 related command? As an aside, I think you should revert to nft (nftables). -- u34
Re: [arch-general] Fail2Ban is not adding iptables rules
On 03.11.20 09:54, Maykel Franco via arch-general wrote: El mar., 3 nov. 2020 a las 9:48, escribió: Maykel Franco via arch-general wrote: Hi, I have this script for iptables for my archlinux desktop: https://pastebin.com/SafhsKFt And when received external request access SSH error, fail2ban add rule but the rule not working. I think it has to do with the iptables script, but the fail2ban blocking rules add fine but don't ban. That could be happening? It could be that the banning fail2ban rule doesn't ban. 1. Can you show the iptables state before, and after, fail2ban added its rule? That is, issue an iptables -s command? I do hope I got the iptables command right. 2. Can you show fail2ban configuration? -- u34 The problem is not fail2ban. The problem is the script iptables rules because after exec script iptables: https://pastebin.com/SafhsKFt I try drop ip: iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP Not block ip 192.168.0.33 on port 22. Thats the expected behavior. With -A you append a rule to the already existing rules. The problem is that you have already allowed port 22 in your script and this rule match for all incoming packets on port 22. Other rules will not be executed. I'm not an expert in fail2ban but when you use the following rule after the script is executed port 22 will be blocked iptables -I INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP -I means that the rule is insert on the first place in the chain. With "iptables -vL INPUT" you can see the order of the rule. First matching rule will be used and no other rules in the INPUT chain will be executed.
Re: [arch-general] USB flash installation medium in BIOS machines
Damjan Georgievski via arch-general wrote: > > There are only my 2 installed hard drives plus a "USB HDD: ..." option. > > I am very positive that this laptop is legacy BIOS only and that it is > > somehow wrongly identified as UEFI? > > It can't be "wrongly identified as UEFI". If the laptop didn't support > UEFI, then you wouldn't even see the systemd-boot menu, > because there wouldn't be anything to *load* systemd-boot, or support > it running. systemd-boot is designed to exclusively > run in the UEFI environment, and it just can not work at all in a BIOS > environment. > > >>> I see the boot menu (which looks like systemd-boot menu) with only > >>> options for UEFI boot and EFI shell option. > > -- > damjan Have you entered the firmware configuration, or the bios configuration, whatever that is, to see its options? -- u34
Re: [arch-general] Fail2Ban is not adding iptables rules
El mar., 3 nov. 2020 a las 9:48, escribió: > > Maykel Franco via arch-general wrote: > > > Hi, I have this script for iptables for my archlinux desktop: > > > > https://pastebin.com/SafhsKFt > > > > And when received external request access SSH error, fail2ban add rule > > but the rule not working. > > > > I think it has to do with the iptables script, but the fail2ban > > blocking rules add fine but don't ban. That could be happening? > > It could be that the banning fail2ban rule doesn't ban. > 1. Can you show the iptables state before, and after, fail2ban added >its rule? That is, issue an iptables -s command? I do hope I got >the iptables command right. > 2. Can you show fail2ban configuration? > > -- > u34 The problem is not fail2ban. The problem is the script iptables rules because after exec script iptables: https://pastebin.com/SafhsKFt I try drop ip: iptables -A INPUT -p tcp -s 192.168.0.33 --dport 22 -j DROP Not block ip 192.168.0.33 on port 22.
Re: [arch-general] Fail2Ban is not adding iptables rules
Maykel Franco via arch-general wrote: > Hi, I have this script for iptables for my archlinux desktop: > > https://pastebin.com/SafhsKFt > > And when received external request access SSH error, fail2ban add rule > but the rule not working. > > I think it has to do with the iptables script, but the fail2ban > blocking rules add fine but don't ban. That could be happening? It could be that the banning fail2ban rule doesn't ban. 1. Can you show the iptables state before, and after, fail2ban added its rule? That is, issue an iptables -s command? I do hope I got the iptables command right. 2. Can you show fail2ban configuration? -- u34