Page 3 of 3
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Oct 26, 2022 7:26 am
by wiak
williams2 wrote: ↑Wed Oct 26, 2022 5:40 am
It would be added as a service most likely.
If you are referring to iptables-restore
it's not a daemon, it just runs for a few milliseconds and exits.
Puppy has /etc/init.d/
and /etc/rc0.d
and /etc/rc1.d
and /etc/rc2.d
etc etc
for scripts to start services.
If KLV uses systemd that would be more complicated.
Actually, systemd specifically provides a one-shot service type just for this type of event really:
https://gist.github.com/drmalex07/d006f12914b21198ee43
https://www.redhat.com/sysadmin/systemd-oneshot-service
https://trstringer.com/simple-vs-onesho ... d-service/
Unfortunately, it seems runit (as used by Void Linux and thus KLV-Airedale) does not (unless support for that has been added since the following):
https://www.reddit.com/r/voidlinux/comm ... e_at_boot/
https://github.com/void-linux/void-runit/issues/23
cron job suggestion, but whether safe isn't answered: https://superuser.com/questions/1736560 ... tem-reboot
I am wondering if you couldn't simply sv stop service after it is started? Wouldn't that be like a one-shot? I imagine I am missing something with that idea...
https://kchard.github.io/runit-quickstart/
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Oct 26, 2022 1:00 pm
by geo_c
rockedge wrote: ↑Wed Oct 26, 2022 5:19 am
are you running gufw
the GUI for the firewall? There might be a enable at boot option checkbox
Yes, I looked for a checkbox and didn't see it anywhere.
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Oct 26, 2022 2:27 pm
by rockedge
wouldn't a script in /root/Startup do the trick?
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Oct 26, 2022 5:15 pm
by fredx181
geo-c wrote:Just noticing that the firewall seems to always come up disabled on boot. Is there a way to autostart it?
ufw has a runit service included, but it's not activated for some reason, run from terminal to activate:
cd /var/service; ln -s /etc/sv/ufw/ ufw
And it should start at (next) boot (edit: and showing in gufw status enabled).
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Oct 26, 2022 6:27 pm
by rockedge
@fredx181 I agree that is the best way, I Just looked ufw over and the link to /var/service will start it at boot
@geo_c This applies to KLV-Airedale -> https://docs.voidlinux.org/config/services/index.html
Is there a GUI to manage the services? Like some yad + script contraption that scans the /etc/sv and /var/services and adds and removes the symlinks to start stop services. Something like the utilities that Puppy Linux has for managing system startup.
Might be better to us sv
commands in the scripts
Code: Select all
Basic Usage
To start, stop, restart or get the status of a service:
# sv up <services>
# sv down <services>
# sv restart <services>
# sv status <services>
The <services> placeholder can be:
Service names (service directory names) inside the /var/service/ directory.
The full paths to the services.
For example, the following commands show the status of a specific service and of all enabled services:
# sv status dhcpcd
# sv status /var/service/*
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Thu Oct 27, 2022 2:00 pm
by fredx181
rockedge wrote:Might be better to us sv commands in the scripts
Perhaps yes, but in the documentation it also says to use ln -s
to enable a service.
To enable a service on a booted system, create a symlink to the service directory in /var/service/:
# ln -s /etc/sv/<service> /var/service/
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Dec 07, 2022 3:56 pm
by geo_c
fredx181 wrote: ↑Thu Oct 27, 2022 2:00 pm
rockedge wrote:Might be better to us sv commands in the scripts
Perhaps yes, but in the documentation it also says to use ln -s
to enable a service.
To enable a service on a booted system, create a symlink to the service directory in /var/service/:
# ln -s /etc/sv/<service> /var/service/
Just noticing again that in KLV-RC1 the firewall enable isn't persistent on reboot. I'll apply this fix again.
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Dec 07, 2022 7:50 pm
by rockedge
@geo_c I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.
This is the command for either a running or not running system to activate a service at system startup:
Code: Select all
ln -s /etc/sv/<service> /etc/runit/runsvdir/default/<service>
How to autostart Gufw with the system?
You do not need it. After you do all of the changes in Gufw, the settings are still in place until the next changes.
Why is Gufw disabled by default?
By default, the firewall does not open ports to the outside world.
Some rules are added by themselves?
Well, the behaviour is such that when you change or import a profile, or when you edit a rule, Gufw will add that rule again, then ufw re-adds that rule for IPv4 and IPv6.
What is Allow, Deny, Reject and Limit?
• Allow: Will allow traffic.
• Deny: Will deny traffic.
• Reject: Will deny traffic and will inform that it has been rejected.
• Limit: Will deny traffic if an IP tried several connections.
I see some rules in all profiles
All the ufw rules will be appear in all profiles.
What do I see in the Listening Report?
The ports on the live system in the listening state for TCP and the open state for UDP.
I want even more!
You'll find more information in the community documentation help.ubuntu.com/community/Gufw
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Wed Dec 07, 2022 10:58 pm
by fredx181
rockedge wrote:I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.
This is the command for either a running or not running system to activate a service at system startup: ....
Don't know what's your reason, but I think activating the service doesn't really enable the firewall, I mean that you still need to enable it in the gufw GUI .
Just briefly tested sometime ago, I may be wrong ...
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Thu Dec 08, 2022 12:08 am
by rockedge
@fredx181 yes that is why it's not enabled as a service by default, that it's not how gufw works. iptables can be started by runit during the boot stages.
Firewalls
iptables
By default, the iptables package is installed on the base system. It provides iptables(8)/ip6tables(8). The related services use the /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules ruleset files, which must be created by the system administrator.
Two example rulesets are provided in the /etc/iptables directory: empty.rules and simple_firewall.rules.
Applying the rules at boot
To apply iptables rules at runit stage 1, install the runit-iptables package. This adds a core-service which restores the iptables.rules and ip6tables.rules rulesets.
Alternatively, to apply these rules at stage 2, add the following to /etc/rc.local:
Code: Select all
if [ -e /etc/iptables/iptables.rules ]; then
iptables-restore /etc/iptables/iptables.rules
fi
if [ -e /etc/iptables/ip6tables.rules ]; then
ip6tables-restore /etc/iptables/ip6tables.rules
fi
After rebooting, check the active firewall rules:
Applying the rules at runtime
iptables comes with two runit services, iptables and ip6tables, to quickly flush or restore the iptables.rules and ip6tables.rules rulesets. Once these services are enabled, you can flush the rulesets by downing the relevant service, e.g.:
and restore them by upping the relevant service, e.g.:
# sv up ip6tables
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Thu Dec 08, 2022 2:07 am
by geo_c
rockedge wrote: ↑Wed Dec 07, 2022 7:50 pm
@geo_c I don't start the service as default. The symlink @fredx181 method is perfect for the already running system.
Well, I ran fred's link command earlier today, and I just fired up KLV and the firewall is indeed running on boot, so if you mean once you run the command on a running system then it's persistent on future boots, then my test confirms it.
Re: KLV-Airedale-beta21 with Kernel 6.0.0-KLV SMP PREEMT DYNAMIC
Posted: Thu Dec 08, 2022 2:29 am
by rockedge
@geo_c correct, once the symlink is in place in /var/service
(which is a symlink to /etc/runit/runsvdir/default
) the firewall will be started during a system boot until the symlink is removed.