KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC

[wiak]

It would be added as a service most likely.

If you are referring to iptables-restore
it's not a daemon, it just runs for a few milliseconds and exits.

Puppy has /etc/init.d/ and /etc/rc0.d and /etc/rc1.d and /etc/rc2.d etc etc
for scripts to start services.

If KLV uses systemd that would be more complicated.

Actually, systemd specifically provides a one-shot service type just for this type of event really:

https://gist.github.com/drmalex07/d006f12914b21198ee43
https://www.redhat.com/sysadmin/systemd-oneshot-service
https://trstringer.com/simple-vs-onesho ... d-service/

Unfortunately, it seems runit (as used by Void Linux and thus KLV-Airedale) does not (unless support for that has been added since the following):

https://www.reddit.com/r/voidlinux/comm ... e_at_boot/
https://github.com/void-linux/void-runit/issues/23

cron job suggestion, but whether safe isn't answered: https://superuser.com/questions/1736560 ... tem-reboot

I am wondering if you couldn't simply sv stop service after it is started? Wouldn't that be like a one-shot? I imagine I am missing something with that idea...
https://kchard.github.io/runit-quickstart/

[geo_c]

are you running gufw the GUI for the firewall? There might be a enable at boot option checkbox

Yes, I looked for a checkbox and didn't see it anywhere.

[rockedge]

wouldn't a script in /root/Startup do the trick?

[fredx181]

Just noticing that the firewall seems to always come up disabled on boot. Is there a way to autostart it?

ufw has a runit service included, but it's not activated for some reason, run from terminal to activate:
cd /var/service; ln -s /etc/sv/ufw/ ufw
And it should start at (next) boot (edit: and showing in gufw status enabled).

[rockedge]

@fredx181 I agree that is the best way, I Just looked ufw over and the link to /var/service will start it at boot

@geo_c This applies to KLV-Airedale -> https://docs.voidlinux.org/config/services/index.html

Is there a GUI to manage the services? Like some yad + script contraption that scans the /etc/sv and /var/services and adds and removes the symlinks to start stop services. Something like the utilities that Puppy Linux has for managing system startup.

Might be better to us sv commands in the scripts

Code: Select all

Basic Usage

To start, stop, restart or get the status of a service:

# sv up <services>
# sv down <services>
# sv restart <services>
# sv status <services>

The <services> placeholder can be:

    Service names (service directory names) inside the /var/service/ directory.
    The full paths to the services.

For example, the following commands show the status of a specific service and of all enabled services:

# sv status dhcpcd
# sv status /var/service/*

[fredx181]

Might be better to us sv commands in the scripts

Perhaps yes, but in the documentation it also says to use ln -s to enable a service.

To enable a service on a booted system, create a symlink to the service directory in /var/service/:

# ln -s /etc/sv/<service> /var/service/

[geo_c]

Might be better to us sv commands in the scripts

Perhaps yes, but in the documentation it also says to use ln -s to enable a service.

To enable a service on a booted system, create a symlink to the service directory in /var/service/:

# ln -s /etc/sv/<service> /var/service/

Just noticing again that in KLV-RC1 the firewall enable isn't persistent on reboot. I'll apply this fix again.

[rockedge]

@geo_c I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.
This is the command for either a running or not running system to activate a service at system startup:

Code: Select all

ln -s /etc/sv/<service> /etc/runit/runsvdir/default/<service>

How to autostart Gufw with the system?
You do not need it. After you do all of the changes in Gufw, the settings are still in place until the next changes.

Why is Gufw disabled by default?
By default, the firewall does not open ports to the outside world.

Some rules are added by themselves?
Well, the behaviour is such that when you change or import a profile, or when you edit a rule, Gufw will add that rule again, then ufw re-adds that rule for IPv4 and IPv6.

What is Allow, Deny, Reject and Limit?
• Allow: Will allow traffic.
• Deny: Will deny traffic.
• Reject: Will deny traffic and will inform that it has been rejected.
• Limit: Will deny traffic if an IP tried several connections.
I see some rules in all profiles
All the ufw rules will be appear in all profiles.

What do I see in the Listening Report?
The ports on the live system in the listening state for TCP and the open state for UDP.

I want even more!
You'll find more information in the community documentation help.ubuntu.com/community/Gufw

[fredx181]

I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.
This is the command for either a running or not running system to activate a service at system startup: ....

Don't know what's your reason, but I think activating the service doesn't really enable the firewall, I mean that you still need to enable it in the gufw GUI .
Just briefly tested sometime ago, I may be wrong ...

[rockedge]

@fredx181 yes that is why it's not enabled as a service by default, that it's not how gufw works. iptables can be started by runit during the boot stages.

Firewalls
iptables

By default, the iptables package is installed on the base system. It provides iptables(8)/ip6tables(8). The related services use the /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules ruleset files, which must be created by the system administrator.

Two example rulesets are provided in the /etc/iptables directory: empty.rules and simple_firewall.rules.
Applying the rules at boot

To apply iptables rules at runit stage 1, install the runit-iptables package. This adds a core-service which restores the iptables.rules and ip6tables.rules rulesets.

Alternatively, to apply these rules at stage 2, add the following to /etc/rc.local:

Code: Select all

if [ -e /etc/iptables/iptables.rules ]; then
  iptables-restore /etc/iptables/iptables.rules
fi

if [ -e /etc/iptables/ip6tables.rules ]; then
  ip6tables-restore /etc/iptables/ip6tables.rules
fi

After rebooting, check the active firewall rules:

Code: Select all

# iptables -L
# ip6tables -L

Applying the rules at runtime

iptables comes with two runit services, iptables and ip6tables, to quickly flush or restore the iptables.rules and ip6tables.rules rulesets. Once these services are enabled, you can flush the rulesets by downing the relevant service, e.g.:

Code: Select all

# sv down iptables

and restore them by upping the relevant service, e.g.:

# sv up ip6tables

[geo_c]

@geo_c I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.

Well, I ran fred's link command earlier today, and I just fired up KLV and the firewall is indeed running on boot, so if you mean once you run the command on a running system then it's persistent on future boots, then my test confirms it.

[rockedge]

@geo_c correct, once the symlink is in place in /var/service (which is a symlink to /etc/runit/runsvdir/default) the firewall will be started during a system boot until the symlink is removed.