Firewalld – RHEL 7 & CentOS 7

There are a couple of excellent articles on Firewall D and I’ll attribute them as follows. Remember to check out the comments sections where available since there are some insightful contributions:

Resources

How To Set Up a Firewall Using FirewallD on CentOS 7

A few ways to configure Linux firewalld

RHEL7: How to get started with Firewalld.

What Is FirewallD and How It Works (firewall-cmd)

Firewalld configuration and usage

centos 7 – open firewall port

How to open a port in the firewall on CentOS or RHEL

Snippets

Below are some of the neat things I gleaned from the above resources:

Firewalld is the default firewall on CentOS minimal install and its managed by the firewall-cmd administrative tool.

Firewalld daemon encapsulates  groups of rules into what are termed as Zones. These rules dictate what traffic should be allowed depending on the level of “Trust” in the network your computer is connected to.

Zones are activated by adding Network Interfaces to them. The default zone after a CentOS mimimal install is the public zone. Here you’ll find a nice description of the different zones. Remember, check the zones that are active then add rules, e.g enabling ports, on them instead of blindly opening ports in all the zones.

To allow traffic between network interfaces remember to enable ip_forwading.

Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. On CentOS, these configurations are defined within the /etc/sysconfig/network-scripts directory with files of the format ifcfg-interface. To define a zone for the interface, open up the file associated with the interface you’d like to modify.

Incase you’d rather switch back to Ip-tables, follow the instructions here.

NOTE: Firewalld relies on NetworkManager. This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!

MasqueradingIf your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

Services: There are a few basic building blocks in the zones — services are the most important. Firewalld uses its own set of services that are configured using XML files in the directories /usr/lib/firewalld/services (for the system default services) and /etc/firewalld/services for services that you, the administrator, create. If the same service is found in both locations then the services defined in /etc/firewalld/services takes precedence.

The firewall-cmd command is one of many methods to configure firewalld. Alternatively, you can edit the zone configuration file directly. This doesn’t give you any feedback on wrong syntax, but it’s a clean and straightforward configuration file that is easy to modify and distribute across multiple servers.

Pound Gateway Won’t Start on CentOS 7

Problem

I had Setup the pound gateway as per the steps here. The issue was that the gateway wasn’t starting. The following error was on the log:

Sep 7 15:09:49 localhost systemd: Starting Pound Reverse Proxy And Load-balancer...
Sep 7 15:09:49 localhost pound: starting...
Sep 7 15:09:50 localhost pound: get_host(192.168.56.101, res, 0)
Sep 7 15:09:50 localhost pound: getaddrinfo OK
Sep 7 15:09:50 localhost pound: ret OK
Sep 7 15:09:50 localhost pound: done
Sep 7 15:09:50 localhost pound: get_host(192.168.56.101, res, 0)
Sep 7 15:09:50 localhost pound: getaddrinfo OK
Sep 7 15:09:50 localhost pound: ret OK
Sep 7 15:09:50 localhost pound: done
Sep 7 15:09:50 localhost pound: get_host(192.168.56.102, res, 0)
Sep 7 15:09:50 localhost pound: getaddrinfo OK
Sep 7 15:09:50 localhost pound: ret OK
Sep 7 15:09:50 localhost pound: done
Sep 7 15:09:50 localhost pound: get_host(192.168.56.103, res, 0)
Sep 7 15:09:50 localhost pound: getaddrinfo OK
Sep 7 15:09:50 localhost pound: ret OK
Sep 7 15:09:50 localhost pound: done
Sep 7 15:09:50 localhost systemd: Failed to read PID from file /var/run/pound.pid: Invalid argument
Sep 7 15:11:19 localhost systemd: pound.service operation timed out. Terminating.
Sep 7 15:11:19 localhost systemd: Failed to start Pound Reverse Proxy And Load-balancer.
Sep 7 15:11:19 localhost systemd: Unit pound.service entered failed state.

Solution

According to this mailing list, the solution is to edit the file pound.service shown below and remove the line with something like PID.

After editing, the file should have the following:

[root@localhost ~]# cat /usr/lib/systemd/system/pound.service
[Unit]
Description=Pound Reverse Proxy And Load-balancer
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/usr/sbin/pound

[Install]
WantedBy=multi-user.target 

Resources

[Pound Mailing List] pound won’t start

When i try to logon to my WordPress Backend with pound in front it tells me this error “You do not have sufficient permissions to access this page.”

 

Load Balancing — Pound Gateway

Setup

Guest OS – CentOS 7

Configure Load Balancer

  • Enable the EPEL repository.
  • Install pound on the Load Balance Server. In my case this is on IP 192.168.56.101
[root@localhost ~]# yum install pound
  • Configure pound
[root@localhost ~]# vim /etc/pound.cfg
vim /etc/pound.cfg
pound config file

NB:// Remember to add the http service to the firewall as detailed below. Otherwise this will happen.

  • Add pound to chkconfig so it starts at bootup:
[root@localhost]# systemctl is-enabled pound
disabled
[root@localhost]# systemctl enable pound
ln -s '/usr/lib/systemd/system/pound.service' '/etc/systemd/system/multi-user.target.wants/pound.service'
[root@localhost]# systemctl is-enabled pound
enabled

Configure Back End Servers

  • Install apache and php
[root@localhost ~]# yum install --disablerepo="*" --enablerepo="LocalRepo" httpd

[root@localhost ~]# yum install --disablerepo="*" --enablerepo="LocalRepo" php
  • Edit apache config so webserver listens to traffic on static IP
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
vim /etc/httpd/conf/httpd.conf
Apache Config File
  • Create a sample web page on Backend server(s)
[root@localhost ~]# vim /var/www/html/index.html
sample_webpage
sample_webpage
  • change ownership of the index.html file:
[root@localhost ~]# chown apache:apache /var/www/html/index.html
  • Restart Apache
[root@localhost ~]# service httpd restart

Out of the box, enterprise Linux distributions such as CentOS or RHEL come with a powerful firewall built-in, and their default firewall rules are pretty restrictive. Thus if you install any custom services (e.g., web server, NFS, Samba), chances are their traffic will be blocked by the firewall rules. You need to open up necessary ports on the firewall to allow their traffic.

NB: We are adding the service to the public zone since its the active zone. Check active zones so you know which zone to add the service.  See this as well.

[root@localhost jeremy]# firewall-cmd --get-active-zones
public
 interfaces: enp0s3 enp0s8
[root@localhost jeremy]# firewall-cmd --permanent --zone=public --add-service=http
success
[root@localhost jeremy]# firewall-cmd --reload
success
  • Then start pound:
[root@localhost ~]# service pound restart
  • Go to the Host OS browser and enter IP of the Load balancer server IP. You should see Server 1 and Server 2’s webpages being served.

Resources

Pound (networking)

POUND – REVERSE-PROXY AND LOAD-BALANCER

Pound : HTTP Load Balancing

Simple Apache Load Balancing – Pound RPM

Linux install and configure pound reverse proxy for Apache http / https web server

Pound Gateway & Config Directives Explained

Lighttpd & Config Directives Explained

A few ways to configure Linux firewalld

RHEL 7 / CentOS 7: How to get started with Firewalld

RHEL7: How to get started with Firewalld.

How to open a port in the firewall on CentOS or RHEL

Take a Screenshot of Entire Webpage

Problem

I downloaded a playlist of 210 videos and needed to track the order of the videos as listed on the webpage. The webpage lists about 10 videos and you have to scroll down to view the rest.

Solution

According to this answer, Firefox has a builtin option. Simply load up the page on firefox and hit Shift + F2. This will bring up a Command Line Interface (CLI) at the bottom left hand side of the browser:

Firefox CLI -> shift + F2
Firefox CLI -> shift + F2

Firefox version used is Mozilla Firefox 40.0.3

Enter the command:

screenshot --fullpage <file_name>.png

Then hit enter and it will prompt you for the location to save the screenshot.
Hint as you type the commands hit Tab to Autocomplete:

screenshot --fullpage <file_name>.png then hit enter
screenshot command on firefox in browser CLI

Resources

How to take screenshot of complete webpages?

How can I take a full page screenshot of a webpage from the command line?

 

Virtual Box Connect to HTTP Server on Guest OS

Problem

I have a Guest OS on Virtual Box, running on Ubuntu based Host OS. I can ping and ssh into my CentOS 7 Guest OS from the host after using the Host Only Networking option on Virtual Box.

The problem came in when I tried reaching the Guest OS’s IP on the Host OS web browser. I’d get this error:

Host OS Web Browser
Host OS Web Browser

Telnet from the host to the Guest IP gave the following error:

telnet 192.168.56.102 80 telnet: Unable to connect to remote host: No route to host
Telnet Result of Host-to-Guest

Troubleshooting

  • Check if port is Open and if firewall is running on Guest OS
check-port-firewall-on-guest-OS
check if-port is open-firewall-running-on-guest-OS
  • Tried to telnet port from Guest OS
telnet-from-guestOS
telnet-from-guestOS successful
  • Tried to ping Guest IP from the Host IP and this was successful:
ping-host-to-guest
ping-host-to-guest

Solution

After some doodling, found this pointer.

Starting with CentOS and RHEL 7, firewall rule settings are managed by firewalld service daemon. A command-line client called firewall-cmd can talk to this deamon to update firewall rules permanently.

service firewalld status
centos firewalld was running

So after stopping firewalld, I was able to telnet to port 80 and also get a response on the web browser:

service firewalld stop
stop-firewalld
telnet-host-to-guest successful
telnet-host-to-guest successful
host-web-browser
host-web-browser

NB:// Another alternative to stopping the firewall, is open up the http service/port on the firewall. This can be achieved as explained here.

Resources

Virtualbox: How to access web server on guest OS from the host OS?

A few ways to configure Linux firewalld

RHEL 7 / CentOS 7: How to get started with Firewalld

RHEL7: How to get started with Firewalld.

How to open a port in the firewall on CentOS or RHEL

Upgrading youtube-dl

Problem

I was trying to download a playlist but was getting an error.

Solution

According to, this issue is normally caused when using version  2014.02.17 or older.

I was unable to upgrade using the option:

sudo youtube-dl -U

This option worked:

sudo pip install --upgrade youtube_dl

Resources

how to download playlist from youtube-dl?

Information below, provided in the Ubuntu software Manager, was also helpful:

To install it right away for all UNIX users (Linux, OS X, etc.), type:

sudo curl https://yt-dl.org/downloads/2015.09.03/youtube-dl -o /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl

If you do not have curl, you can alternatively use a recent wget:

sudo wget https://yt-dl.org/downloads/2015.09.03/youtube-dl -O /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl

You can also use pip:

sudo pip install --upgrade youtube_dl

This command will update youtube-dl if you have already installed it. See the pypi page for more information.
You can use Homebrew if you have it:

brew install youtube-dl

To check the signature, type:

sudo wget https://yt-dl.org/downloads/2015.09.03/youtube-dl.sig -O youtube-dl.sig
gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl
rm youtube-dl.sig

The following GPG keys will be used to sign the binaries and the git tags:

4096R/A4826A18 Philipp Hagemeister Key fingerprint = 7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18
4096R/BCF05F6B Filippo Valsorda Key fingerprint = 428D F5D6 3EF0 7494 BB45 5AC0 EBF0 1804 BCF0 5F6B
Older releases are also signed with one of:

1024D/FAFB085C Philipp Hagemeister Key fingerprint = 0600 E1DB 6FB5 3A5D 95D8 FC0D F5EA B582 FAFB 085C (until 2013-06-01)

Finally, MPesa API is Out

Safaricom has finally officially opened up the M-Pesa API. It has been a long time coming and it’ll be interesting to see the innovations that are likely to spring up.

Here’s a summary of the what you can do:

  • Automated Payment Receipt Processing: This is a Customer To Business feature/C2B where a payment transaction can be initiated by the customer or via the API. The customer simply opens up M-Pesa via the Sim ToolKit(STK) and proceeds to Lipa na M-PESA. Option 2 involves the customer receiving a USSD push asking them to authorize the transaction.
    • One of the interesting new features is the ability of the Business to vet the payment and only accept if the transaction meets their criteria or business rules, such as, is the money being paid to the right account? and so on. This reduces the overhead of having to refund erroneously sent transactions.
    • The Business entity will also receive confirmation that payment has been made/cancelled/failed and these can be forwarded in real time to a 3rd party.
  • Automated Payment Disbursements: This is essentially a Business To Customer B2C feature that was previously tedious and involved creating a file that had to be in a specific format, then uploading it onto a website and then having another user authorize the payment among other teething complexities.
    • What’s new is that, this has now been automated and such payments can now be pushed from the Business to the API (programmatically) and subsequently to the recipient.
  • Automated Payments Reversal: Finally, as the name suggests, say you pay for something that’s been discontinued and yes ofcourse, you need your money back. The API provides an option for automating such reversals and this can be tailored to suit the business’ internal processes.

For more check out.

Phone Data Used to Track Disease

So seems there are some useful uses of data being harvested. In this particular case, 2 US based universities used anonymously collected Phone Data to track spread of the Rubella disease in Kenya.

Interesting the study period covered school holidays and shows that phone data can be used to predict seasonal disease patterns and also understand how travel/movement facilitates the spread of disease.

 

The Era of Data Collection

If like me you’ve recently upgraded to Windows 10, you’ll notice that Microsoft have joined the long list of companies wanting to know whether you like chocolate chip cookies or cup cakes.

Paranoid? There are a couple of settings you can turn on and off. Warning though! MS wants most of these on for some obvious and others not so, reasons. To maintain the status quo, Cortana won’t work if and when you turn off some of the options in Start Menu –> Settings –> Privacy.

For more, check here.

More Reading

A Breakdown of the Windows 10 Privacy Policy

What Windows 10’s “Privacy Nightmare” Settings Actually Do