This should document the reconfiguration of HAL to provide a comparable service to Mystic.
https://xfs.org/index.php/Shrinking_Support -"Currently XFS Filesystems can't be shrunk."
Process for moving around the LVM
LVM Space Allocation - now:
hal:/root ## df -ht xfs Filesystem Size Used Avail Use% Mounted on /dev/mapper/cl-root 50G 6.4G 44G 13% / /dev/sda1 1014M 181M 834M 18% /boot /dev/mapper/cl-home 50G 33M 50G 1% /home /dev/mapper/cl-libvirt 1.5T 33M 1.5T 1% /var/lib/libvirt /dev/mapper/cl-log 10G 50M 10G 1% /var/log
Filesystems created:
hal:/ ## mkfs.xfs /dev/cl/home
meta-data=/dev/cl/home isize=512 agcount=4, agsize=3276800 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=13107200, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=6400, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
hal:/ ## mkfs.xfs /dev/cl/libvirt
meta-data=/dev/cl/libvirt isize=512 agcount=4, agsize=98304000 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=393216000, imaxpct=5
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=192000, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
hal:/ ## mkfs.xfs /dev/cl/log
meta-data=/dev/cl/log isize=512 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
Current state of space:
hal:/root ## vgdisplay cl --- Volume group --- VG Name cl System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 10 VG Access read/write VG Status resizable MAX LV 0 Cur LV 5 Open LV 5 Max PV 0 Cur PV 1 Act PV 1 VG Size <1.82 TiB PE Size 4.00 MiB Total PE 475901 Alloc PE / Size 414176 / <1.58 TiB Free PE / Size 61725 / 241.11 GiB VG UUID EdHx5A-SkuN-5snE-IBbZ-g47D-qMmt-ocsVQA
(leaves us with ~240G free to allocate as we see fit.)
Updated with information here: https://trac.x0blr.com/hal/ticket/10
Enabled in PERMISSIVE mode.
Firewalld currently installed but not set on autorestart (still configuring rules and a reboot permits re-entry after lockout)
hal:/root ## systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2020-04-18 17:48:48 BST; 16h ago
SSH (port 22022) and VNC currently permitted:
hal:/root ## firewall-cmd --list-services dhcpv6-client ssh ssh-22022 vnc
New services are added to /etc/firewalld/services. Any ports opened by VMs running on HAL do not require similar rulesets opening ports on HAL also (VMs do not "sit inside" HAL, but alongside it)
This is possible. Experimentation shows that rules can be added and show up in config files, but require a firewall-cmd –reload before they take effect.
Examples are:
firewall-cmd --permanent --type=hash:ip --new-ipset=testblock ## creates /etc/firewalld/ipsets/testblock.xml firewall-cmd --permanent --ipset=testblock --set-description="testing ipsets by Dave" ## can't do description on same line firewall-cmd --permanent --ipset=testblock --get-description ## get info. firewall-cmd --get-ipsets ## won't show it yet firewall-cmd --reload firewall-cmd --get-ipsets ## should now show up ipset -L ## also should show up - no description, mind.
The contents of /etc/firewalld/ipsets/testblock.xmlread:
<?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <description>testing ipsets by Dave</description> </ipset>
2. Add this set to a zone to define whitelist/blacklist. In this case, add it to the DROP zone:
firewall-cmd --get-active-zones # see which zones are in use firewall-cmd --permanent --zone=drop --add-source=ipset:testblock # adds this entry to /etc/firewalld/zones/drop.xml firewall-cmd --reload firewall-cmd --get-active-zones # should now show as a zone.
3. Remove an ipset from a FirewallD zone:
firewall-cmd --get-ipsets ## shows current ipsets firewall-cmd --permanent --delete-ipset=testblock ## no need to mention the zone firewall-cmd --reload firewall-cmd --get-ipsets ## no longer listed ipset -L ## may still show, but not as part of FirewallD
4. add entries to the set:
firewall-cmd --permanent --ipset=testblock --add-entry=1.2.3.4 firewall-cmd --permanent --ipset=testblock --add-entry=2.3.4.5 ipset -L # noshow yet - but added to /etc/firewalld/ipsets/testblock.xml firewall-cmd --reload ipset -L # shows
The contents of /etc/firewalld/ipsets/testblock.xmlwill now read:
<?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <description>testing ipsets by Dave</description> <entry>1.2.3.4</entry> <entry>2.3.4.5</entry> </ipset>
firewall-cmd --permanent --ipset=testblock --remove-entry=1.2.3.4 ## deletes an entry from "testblock" ipset -L ## still shows in ipset but not in /etc/firewalld/ipsets/testblock.xml firewall-cmd --reload ipset -L ## removed from ipset, XML file also updated </file> Of note is that DROP rules appear to apply to NEW connections, not ESTABLISHED ones - it's possible to add a block to an incoming SSH rule that IPTables would immediately slam down upon, but FirewallD won't stop the current session. Additional change: whitelisting trusted IPs. Steps are: <code>firewall-cmd --permanent --type=hash:ip --new-ipset=whitelisted firewall-cmd --permanent --ipset=whitelisted --set-description="Whitelisted IPs" firewall-cmd --permanent --ipset=whitelisted --get-description firewall-cmd --reload firewall-cmd --get-ipsets ipset -L ## Adding the new IPset to FirewallD firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelisted firewall-cmd --reload firewall-cmd --get-active-zones ## manipulate IPset rules through FirewallD firewall-cmd --permanent --ipset=whitelisted --add-entry=1.2.3.4 firewall-cmd --permanent --ipset=whitelisted --add-entry=2.3.4.5 ## Don't forget to reload to embed the rules. firewall-cmd --reload ## Viewing the rules, use either: cat /etc/firewalld/ipsets/whitelisted.xml ipset -L whitelisted
Currently installed and closely mirrors the settings mentioned for ALBERT. Observations are:
- the actual name isn't important, but will need [DEFAULTS] to override the default settings.
Currently added is only /etc/fail2ban/jail.d/50-sshd.conf which adds a DROP rule to 3 failed SSH connections - apache rules are not (currently) needed for HAL.
Intention is to install as an MTA to forward messages on (so that outbound notifications can be made via email) but not permit incoming connections. Most configuration settings comply with work done on ALBERT.
The important lines in main.cf are:
myhostname = hal.server mydomain = $myhostname myorigin = $myhostname inet_interfaces = localhost mydestination = $myhostname, localhost.$mydomain, localhost alias_maps = hash:/etc/aliases sender_canonical_maps = hash:/etc/postfix/outbound.sender_canonical
/etc/postfix/outbound.sender_canonical(used to rewrite "local" address to real postboxes) reads:
## this rewrites fred@hal.server -> fred@proper.fq.dn # # root@hal.server hal-root@tombstones.org.uk dave@hal.server dave@hal.tombstones.org.uk logwatch@hal.server hal-logwatch@tombstones.org.uk
/etc/aliases(used to accept locally-delivered mail then forward it off) currently looks like:
## -- this is where mails get forwarded off.. root: security@tombstones.org.uk dave: dave@tombstones.org.uk