Re: [CentOS] firewalld
On 28 Jan 2017 3:02 am, "TE Dukes" wrote: > -Original Message- > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon > Messmer > Sent: Friday, January 27, 2017 9:23 PM > To: CentOS mailing list > Subject: Re: [CentOS] firewalld > > On 01/27/2017 06:01 PM, TE Dukes wrote: > > I telnet localhost 143, I get connection refused. > > > > What zone is used for the local network and what zone is used for > > outside access? > > All traffic from localhost is allowed. No zone is involved. > > The zone for "outside" access depends on which interface receives the > packet, and what zone you've put that interface in. I believe that defaults to > "public." I'm telneting in from ssh on a machine on the local network, still getting connection refused. The zone apparently means something because an interface can only be on one. Moving it to a different zone results in the same error (same services/ports opened in each zone). I may as well disable firewalld and let my router handle the firewall. I don't plan to use my server as a workstation. Have a read through this and then decide on if you want to use it or not. You can also switch to iptables-service and mask firewalld if you want the same behaviour as in C6. 7.3 also has nftables as a tech preview, but I've not finished my article on that yet. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
> > The zone apparently means something because an interface can only be on one. > Moving it to a different zone results in the same error (same services/ports > opened in each zone). The "zones" are just labels and are used to create kernel iptables. Each zone has a default set of open and closed ports ranging from "trusted" which accepts all packets to "public" which has everything closed. You can modify the allowed ports and services on each zone at will. Some of the zones have "special" features - "block" rejects all packets, "drop" drops all packets, "external" has masquerading turned on and so on. If you have a single network, then that interface will, by default, be put in the "public" zone, so most ports will be closed. That's fine, just leave it in that zone, it's just a label/container. You can list the services open in the default zone by doing firewall-cmd --list-services or for ports not services firewall-cmd --list-ports or for a different zone firewall-cmd --zone=public --list-services You can also find out which zones your interface(s) is in with firewall-cmd --get-active-zones One of the gotchas with firewalld is that the changes are made in either the current running iptables *or* the stored rules, not both. So if you make a change to the running rule set, those changes won't be kept the next time you restart firewalld. You can either use the ' --permanent' flag to set the stored rules (but it won't affect the active rules) or the '--runtime-to-permanent' flag to copy the current active rules to the stored ones. The bottom line is that firewalld is just another application that manipulates the kernel packet routing tables. Use something else if you prefer it - some of the system tools assume firewalld, but if you are aware of what's happening it shouldn't be an issue. > > I may as well disable firewalld and let my router handle the firewall. > If you are happy that there is nothing behind your firewall that could cause a problem then that's an acceptable route. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
> -Original Message- > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James > Hogarth > Sent: Saturday, January 28, 2017 4:18 AM > To: CentOS mailing list > Subject: Re: [CentOS] firewalld > > On 28 Jan 2017 3:02 am, "TE Dukes" wrote: > > > > > -Original Message- > > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon > > Messmer > > Sent: Friday, January 27, 2017 9:23 PM > > To: CentOS mailing list > > Subject: Re: [CentOS] firewalld > > > > On 01/27/2017 06:01 PM, TE Dukes wrote: > > > I telnet localhost 143, I get connection refused. > > > > > > What zone is used for the local network and what zone is used for > > > outside access? > > > > All traffic from localhost is allowed. No zone is involved. > > > > The zone for "outside" access depends on which interface receives the > > packet, and what zone you've put that interface in. I believe that > defaults to > > "public." > > I'm telneting in from ssh on a machine on the local network, still getting > connection refused. > > The zone apparently means something because an interface can only be on > one. > Moving it to a different zone results in the same error (same services/ports > opened in each zone). > > I may as well disable firewalld and let my router handle the firewall. > > I don't plan to use my server as a workstation. > > > Have a read through this and then decide on if you want to use it or not. > > You can also switch to iptables-service and mask firewalld if you want the > same behaviour as in C6. > > 7.3 also has nftables as a tech preview, but I've not finished my article on that > yet. I saw something about that somewhere. Did you forget a link? Thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
> -Original Message- > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Pete Biggs > Sent: Saturday, January 28, 2017 6:02 AM > To: centos@centos.org > Subject: Re: [CentOS] firewalld > > > > > > The zone apparently means something because an interface can only be on > one. > > Moving it to a different zone results in the same error (same > > services/ports opened in each zone). > > The "zones" are just labels and are used to create kernel iptables. > Each zone has a default set of open and closed ports ranging from "trusted" > which accepts all packets to "public" which has everything closed. You can > modify the allowed ports and services on each zone at will. > > Some of the zones have "special" features - "block" rejects all packets, > "drop" drops all packets, "external" has masquerading turned on and so on. > > If you have a single network, then that interface will, by default, be put in > the > "public" zone, so most ports will be closed. That's fine, just leave it in > that > zone, it's just a label/container. > > You can list the services open in the default zone by doing > > firewall-cmd --list-services > > or for ports not services > > firewall-cmd --list-ports > > or for a different zone > > firewall-cmd --zone=public --list-services > > You can also find out which zones your interface(s) is in with > > firewall-cmd --get-active-zones > > One of the gotchas with firewalld is that the changes are made in either the > current running iptables *or* the stored rules, not both. So if you make a > change to the running rule set, those changes won't be kept the next time > you restart firewalld. You can either use the ' > --permanent' flag to set the stored rules (but it won't affect the active > rules) > or the '--runtime-to-permanent' flag to copy the current active rules to the > stored ones. > > The bottom line is that firewalld is just another application that manipulates > the kernel packet routing tables. Use something else if you prefer it - some > of the system tools assume firewalld, but if you are aware of what's > happening it shouldn't be an issue. > > > > > I may as well disable firewalld and let my router handle the firewall. > > > If you are happy that there is nothing behind your firewall that could cause a > problem then that's an acceptable route. > > P. Thanks, That's a better explanation of things than I have read so far. Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots. I did a few --reloads so that may have gotten me. I have zoneminder, dns, and urbackup working. I can ssh and scp in from work but mail is being a pain. Thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
firewalld isn't the only thing that will prevent services from accessing the internet. I found that I needed to do a relabel before postfix could access DNS and I have seen other issues as well. Have you tried disabling the firewall to see if you can get connections to work? Then try to disable SElinux and see if that works. # netstat --inet -l -n Is the service listening on port 143? # systemctl stop firewalld Does it now work? # setenforce 0 Does it now work? Once you establish what's biting you then you can fix it. To force a relabel do # touch /.autorelabel # reboot Mike On 01/28/2017 07:11 AM, TE Dukes wrote: > >> -Original Message- >> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Pete Biggs >> Sent: Saturday, January 28, 2017 6:02 AM >> To: centos@centos.org >> Subject: Re: [CentOS] firewalld >> >> >>> The zone apparently means something because an interface can only be on >> one. >>> Moving it to a different zone results in the same error (same >>> services/ports opened in each zone). >> The "zones" are just labels and are used to create kernel iptables. >> Each zone has a default set of open and closed ports ranging from "trusted" >> which accepts all packets to "public" which has everything closed. You can >> modify the allowed ports and services on each zone at will. >> >> Some of the zones have "special" features - "block" rejects all packets, >> "drop" drops all packets, "external" has masquerading turned on and so on. >> >> If you have a single network, then that interface will, by default, be put >> in the >> "public" zone, so most ports will be closed. That's fine, just leave it in >> that >> zone, it's just a label/container. >> >> You can list the services open in the default zone by doing >> >> firewall-cmd --list-services >> >> or for ports not services >> >> firewall-cmd --list-ports >> >> or for a different zone >> >> firewall-cmd --zone=public --list-services >> >> You can also find out which zones your interface(s) is in with >> >> firewall-cmd --get-active-zones >> >> One of the gotchas with firewalld is that the changes are made in either the >> current running iptables *or* the stored rules, not both. So if you make a >> change to the running rule set, those changes won't be kept the next time >> you restart firewalld. You can either use the ' >> --permanent' flag to set the stored rules (but it won't affect the active >> rules) >> or the '--runtime-to-permanent' flag to copy the current active rules to the >> stored ones. >> >> The bottom line is that firewalld is just another application that >> manipulates >> the kernel packet routing tables. Use something else if you prefer it - some >> of the system tools assume firewalld, but if you are aware of what's >> happening it shouldn't be an issue. >> >>> I may as well disable firewalld and let my router handle the firewall. >>> >> If you are happy that there is nothing behind your firewall that could cause >> a >> problem then that's an acceptable route. >> >> P. > Thanks, > > That's a better explanation of things than I have read so far. > > Yes, initially I wasn't adding the --permanent to the rules but I wasn't > doing really any reboots. > > I did a few --reloads so that may have gotten me. > > I have zoneminder, dns, and urbackup working. I can ssh and scp in from > work but mail is being a pain. > > Thanks > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
-Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Mike McCarthy, W1NR Sent: Saturday, January 28, 2017 8:45 AM To: CentOS mailing list Subject: Re: [CentOS] firewalld firewalld isn't the only thing that will prevent services from accessing the internet. I found that I needed to do a relabel before postfix could access DNS and I have seen other issues as well. Have you tried disabling the firewall to see if you can get connections to work? Then try to disable SElinux and see if that works. # netstat --inet -l -n Is the service listening on port 143? # systemctl stop firewalld Does it now work? # setenforce 0 Does it now work? Once you establish what's biting you then you can fix it. To force a relabel do # touch /.autorelabel # reboot Mike I have dovecot answering now. I can read mail using Mutt. I think I have problems with mysql/mariadb using roundcube. It may be I need to open ports for mariadb as well. Thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
On 28 January 2017 at 12:01, TE Dukes wrote: > > >> -Original Message- >> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James >> Hogarth >> Sent: Saturday, January 28, 2017 4:18 AM >> To: CentOS mailing list >> Subject: Re: [CentOS] firewalld >> >> On 28 Jan 2017 3:02 am, "TE Dukes" wrote: >> >> >> >> > -Original Message- >> > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Gordon >> > Messmer >> > Sent: Friday, January 27, 2017 9:23 PM >> > To: CentOS mailing list >> > Subject: Re: [CentOS] firewalld >> > >> > On 01/27/2017 06:01 PM, TE Dukes wrote: >> > > I telnet localhost 143, I get connection refused. >> > > >> > > What zone is used for the local network and what zone is used for >> > > outside access? >> > >> > All traffic from localhost is allowed. No zone is involved. >> > >> > The zone for "outside" access depends on which interface receives the >> > packet, and what zone you've put that interface in. I believe that >> defaults to >> > "public." >> >> I'm telneting in from ssh on a machine on the local network, still > getting >> connection refused. >> >> The zone apparently means something because an interface can only be on >> one. >> Moving it to a different zone results in the same error (same > services/ports >> opened in each zone). >> >> I may as well disable firewalld and let my router handle the firewall. >> >> I don't plan to use my server as a workstation. >> >> >> Have a read through this and then decide on if you want to use it or not. >> >> You can also switch to iptables-service and mask firewalld if you want the >> same behaviour as in C6. >> >> 7.3 also has nftables as a tech preview, but I've not finished my article > on that >> yet. > > I saw something about that somewhere. > > Did you forget a link? > > Thanks > Oops you're right I did ... https://www.hogarthuk.com/?q=node/9 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
On 28 January 2017 at 13:44, Mike McCarthy, W1NR wrote: > firewalld isn't the only thing that will prevent services from accessing > the internet. I found that I needed to do a relabel before postfix could > access DNS and I have seen other issues as well. Have you tried > disabling the firewall to see if you can get connections to work? Then > try to disable SElinux and see if that works. > > # netstat --inet -l -n > > Is the service listening on port 143? > Just a side note here, since EL7 removed net-tools from the default install (after all it has been deprecated for about a decade now) you probably should get used to providing advice using the iproute2 suite instead. In this case `ss -tlnp` to list all tcp ports in a listening state, showing the pid using the port and not resolving the ports to friendly names. For an example of why this is important think about using pacemaker or keepalived to manage IPs migrating between systems. They won't be visible using ifconfig but only via ip as they aren't exposed in the kernel structures that ifconfig uses - https://www.hogarthuk.com/?q=node/6 Another example is when you have multiple interfaces and you have source policy routing (or similar advanced routing behaviour) that makes use of rules and multiple routing tables. The older route command is only capable of displaying the default main table, not the rest of the tables in use, but `ip route show table all` will give you all the routing tables in use on your system (even in a default install it's a lot more than the route command shows) and ip rule gives you the rules in use, if any. On a similar note bridge-utils is also deprecated, though brctl is ingrained into many minds! https://fedoramagazine.org/build-network-bridge-fedora/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
-Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of James Hogarth Sent: Saturday, January 28, 2017 10:43 AM To: CentOS mailing list Subject: Re: [CentOS] firewalld On 28 January 2017 at 13:44, Mike McCarthy, W1NR wrote: > firewalld isn't the only thing that will prevent services from > accessing the internet. I found that I needed to do a relabel before > postfix could access DNS and I have seen other issues as well. Have > you tried disabling the firewall to see if you can get connections to > work? Then try to disable SElinux and see if that works. > > # netstat --inet -l -n > > Is the service listening on port 143? > Just a side note here, since EL7 removed net-tools from the default install (after all it has been deprecated for about a decade now) you probably should get used to providing advice using the iproute2 suite instead. In this case `ss -tlnp` to list all tcp ports in a listening state, showing the pid using the port and not resolving the ports to friendly names. For an example of why this is important think about using pacemaker or keepalived to manage IPs migrating between systems. They won't be visible using ifconfig but only via ip as they aren't exposed in the kernel structures that ifconfig uses - https://www.hogarthuk.com/?q=node/6 Another example is when you have multiple interfaces and you have source policy routing (or similar advanced routing behaviour) that makes use of rules and multiple routing tables. The older route command is only capable of displaying the default main table, not the rest of the tables in use, but `ip route show table all` will give you all the routing tables in use on your system (even in a default install it's a lot more than the route command shows) and ip rule gives you the rules in use, if any. On a similar note bridge-utils is also deprecated, though brctl is ingrained into many minds! https://fedoramagazine.org/build-network-bridge-fedora/ Thanks for the info. I'll take a look at it. Again, thanks! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
On 1/27/2017 6:01 PM, TE Dukes wrote: I can't figure out all these zones. I opened imap, imaps, pop3, pop3s, smtp, smtps in zones internal, trusted and public. I still get connection refused. I telnet localhost 143, I get connection refused. the firewall is more likely to give you connection timed out as it genereally drops rather than rejects the connectiosn. connection refused often means nothing is actually listening on that port, 143/tcp being IMAP. you sure the imap service is running? -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] mail delivery in 7.3
Hello, Still don't have mail working. It seems to be stuck in /var/spool/postfix/incoming It's not getting to ~Maildir or whatever 7.3 uses. I am clueless. Probably need a little break. TIA ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Preferred mail client
Hello, again, What is the preferred remote mail client for 7.3? I have used openwebmail in the past, was using usermin and roundcube most recently. Never cared about squirrelmail but that was years ago. I don't use my server as a workstation. It mostly just sits over there collecting dust on the keyboard. TIA ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Preferred mail client
On Sat, Jan 28, 2017 at 07:03:31PM -0500, TE Dukes wrote: > Hello, again, > > What is the preferred remote mail client for 7.3? > > I have used openwebmail in the past, was using usermin and roundcube most > recently. Never cared about squirrelmail but that was years ago. > > I don't use my server as a workstation. It mostly just sits over there > collecting dust on the keyboard. > > TIA well, I'm an old-fashioned kind of guy, so I use Mutt. (and I have my own mail server, so I'm accessing local mbox mail folders). I figure that when God invented email, He intended it to be plain text. :) -- Fred Smith -- fre...@fcshome.stoneham.ma.us - The Lord detests the way of the wicked but he loves those who pursue righteousness. - Proverbs 15:9 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Preferred mail client
On 01/28/2017 04:03 PM, TE Dukes wrote: What is the preferred remote mail client for 7.3? I'm a fan of SOGo. https://sogo.nu/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Preferred mail client
On 29/01/17 18:02, Gordon Messmer wrote: On 01/28/2017 04:03 PM, TE Dukes wrote: What is the preferred remote mail client for 7.3? I'm a fan of SOGo. never heard of it - looks interesting BUT the production versions are only available with a support contract the begins at $US 750 / annum - how dangerous is the nightly build? - I normally wouldn't dream of using a nightly build, but neither can I afford the support fee for the 20 or so clients (all not for profit charities) that I provide email services to. https://sogo.nu/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
