Monday, June 6, 2016

rhel7

systemctl
https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

In systemd, the target of most actions are "units", which are resources that systemd knows how to manage. Units are categorized by the type of resource they represent and they are defined with files known as unit files. The type of each unit can be inferred from the suffix on the end of the file.
For service management tasks, the target unit will be service units, which have unit files with a suffix of.service. However, for most service management commands, you can actually leave off the .servicesuffix, as systemd is smart enough to know that you probably want to operate on a service when using service management commands.
Targets are special unit files that describe a system state or synchronization point. Like other units, the files that define targets can be identified by their suffix, which in this case is .target. Targets do not do much themselves, but are instead used to group other units together. LOAD: Whether the unit's configuration has been parsed by systemd. The configuration of loaded units is kept in memory.
ACTIVE: A summary state about whether the unit is active. This is usually a fairly basic way to tell if the unit has started successfully or not.
SUB: This is a lower-level state that indicates more detailed information about the unit. This often varies by unit type, state, and the actual method in which the unit runs.
Run level 3 is emulated by multi-user.target. Run level 5 is emulated by graphical.target.
service foobar startsystemctl start foobar.serviceUsed to start a service (not reboot persistent)
service foobar stopsystemctl stop foobar.serviceUsed to stop a service (not reboot persistent)
service foobar restartsystemctl restart foobar.serviceUsed to stop and then start a service
service foobar reloadsystemctl reload foobar.serviceWhen supported, reloads the config file without interrupting pending operations.
service foobar condrestartsystemctl condrestart foobar.serviceRestarts if the service is already running.
service foobar statussystemctl status foobar.serviceTells whether a service is currently running.
ls /etc/rc.d/init.d/ls /lib/systemd/system/*.service /etc/systemd/system/*.serviceUsed to list the services that can be started or stopped
chkconfig foobar onsystemctl enable foobar.serviceTurn the service on, for start at next boot, or other trigger.
chkconfig foobar offsystemctl disable foobar.serviceTurn the service off for the next reboot, or any other trigger.
chkconfig foobarsystemctl is-enabled foobar.service; echo $?Used to check whether a service is configured to start or not in the current environment.
chkconfig foobar –listls /etc/systemd/system/*.wants/foobar.serviceUsed to list what levels this service is configured on or off
chkconfig foobar –addNot needed, no equivalent.
who -r
run level		systemctl list-units --type=target list current run level/active target
-systemctl is-active foobar.service
systemctl is-failed foobar.service		if service is currently active(running)
if service has problem start
-systemctl reload-or-restart foobar.service
-systemctl list-units or systemctl
systemctl list-units -a		show active unit by defaultshow all loaded unit (active or not)
-systemctl list-units --all --state=inactive
systemctl list-units --type=service		list all available unit 
chkconfig --listsystemctl list-unit-files --type=servicelist all available unit
-systemctl cat atd.servicedisplay unit loaded in current systemd
-systemctl list-dependencies sshd.service
[--reverse|--before|--after]
-systemctl show atd.servicelow level properties of unit
systemctl list-unit-files
The state will usually be "enabled", "disabled", "static", or "masked". In this context, static means that the unit file does not contain an "install" section, which is used to enable a unit. As such, these units cannot be enabled. Usually, this means that the unit performs a one-off action or is used only as a dependency of another unit and should not be run by itself.
systemctl mask foo.service; systemctl unmask foo.service
link unit to /dev/null, make it unstartable
systemctl edit foo.service
modify unit

loginctl (logind)
journalctl (journald)

 firewalld
Use firewall-cmd to manage the rules.
In order from least trusted to most trusted, the pre-defined zones within firewalld are:
  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public: Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate.

start firewall:
# systemctl start firewalld.service
Check if firewall is running:
# systemctl status firewalld
# firewall-cmd --state
Configure firewall when firewalld is not running:
# firewall-offline-cmd
Put Lockdown=yes in the config file /etc/firewalld/firewalld.conf to prevent any change to firewall rule. Or
# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off
# firewall-cmd --query-lockdown
Zones:
These information are stored in /etc/firewalld/firewalld.conf file.
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
# firewall-cmd --get-zones # list all available zones
Create zone:
# firewall-cmd --permanent --new-zone=new-zone
Print zone config:
# firewall-cmd --list-all # list default zone config
# firewall-cmd --zone=home --list-all
# firewall-cmd --list-all-zones # list all config
Change interfeace zone temporarily:
# firewall-cmd --zone=home --change-interface=eth0
Interface always assign to default zone, unless specified with ZONE="zone-name" in the interface cfg /etc/sysconfig/network-scripts/ifcfg-interface. Or change be changed with,
# nmcli con mod "System eth0" connection.zone zone-name 
# firewall-cmd --get-zone-of-interface=eth0
--add-interface
--remove-interface
Change default zone
# firewall-cmd --set-default-zone=home

Source
# firewall-cmd --zone=trusted --list-sources
# firewall-cmd --zone-trusted --add-source=192.168.2.0/24
--get-zone-of-source
--remove-source
--change-source

List of available service:
# firewall-cmd --get-services
detail of the service are defined under /usr/lib/firewalld/services/.
# firewall-cmd --zone=public --add-service=http --permanent
# firewall-cmd --zone=public --add-service={http,https} --permanent
# firewall-cmd --zone=public --list-services
# firewall-cmd --zone=public --remove-service=http --permanent
Add ports
# firewall-cmd --zone=public --add-port=5000/tcp --permanent
# firewall-cmd --zone=public --add-port=4990-4999/udp --permanent
# firewall-cmd --zone=public --list-ports
# firewall-cmd --zone=public --remove-port=5000/tcp --permanent
Define a service"
Create a xml file /etc/firewalld/services/service.xml, use xml under /usr/lib/firewalld/services/ as template. Remember assign correct SELinux context and file permission.
# restorecon /etc/firewalld/services/service.xml
# chmod 640 /etc/firewalld/services/service.xml
Masquerading
# firewall-cmd --zone=external --add-masquerade
# firewall-cmd --zone=external --remove-masquerade
# firewall-cmd --zone=external --query-masquerade
Port Forwarding
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1
--remove-forward-port
--query-forward-port
Direct Rules that bypass firewalld interface
information are stored in /etc/firewalld/direct.xml file.
open port 9000:
# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
# firewall-cmd --direct --get-all-rules
direct
# firewall-cmd --runtime-to-permanent
# firewall-cmd --reload
# systemctl restart network
# systemctl restart firewalld
Rich rules
format:
# firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
# firewall-cmd [--zone-zone] --query-rich-rule='rule'
# firewall-cmd [--zone=zone] --remove-rich-rule='rule'
Add modules
Instead of using a rc.local file, it is better to notify Firewalld through the /etc/modules-load.d directory.
Backup firewall rules
# iptables -S > firewalld_rules_ipv4
# ip6tables -S > firewalld_rules_ipv6

---
For the priority from highest to lowest for when and where a rule applies when a packet arrives we have:
  • Direct rules
  • Source address based zone
    • log
    • deny
    • allow
  • Interface based zone
    • log
    • deny
    • allow
  • Default zone
    • log
    • deny
    • allow
Within each log/deny/allow split of a zone the priority is:
  • Rich rule
  • Port definition
  • Service definition
---
  • The iptables service stores configuration in /etc/sysconfig/iptables while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
  • With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables while with firewalld there is no re-creating of all the rules; only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.






















---

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)