AlmaLinux8

Alma Linux 8

Alma Linux 8 is clone of original RHEL/CentOS 8.

I'm unable to use current version 9, because it no longer works on AMD Opteron Generation 2 (G2) CPU (RHEL 9 requires x86-64-v2).

Testing

curl -fLO https://ftp.linux.cz/pub/linux/almalinux/8/isos/x86_64/AlmaLinux-8.9-x86_64-minimal.iso

Problem:

• my NVidia LAN does not work because missing forcedeth module (removed from late RHEL 7 by RedHat see https://linux.web.cern.ch/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/)
• but it seems that we can use:
  • https://cbs.centos.org/koji/packageinfo?packageID=9085
• finally downloaded to other computer:
  • https://elrepo.org/linux/elrepo/el8/x86_64/RPMS/kmod-forcedeth-0.0-10.el8_9.elrepo.x86_64.rpm
• transferred on USB pendrive to target
• simply run rpm -ivh kmod-forcedeth-0.0-10.el8_9.elrepo.x86_64.rpm
• after reboot all LANs should be automatically configured
• once network is working we can enable elrepo:
  • from https://wiki.almalinux.org/repos/Extras.html#the-elrepo-project

  dnf install elrepo-release

To build RPMS we have to install

sudo dnf install rpmdevtools rpm-build yum-utils
# typical tools used for building:
sudo dnf install gcc make cmake gcc-c++ bison flex automake autoconf libtool

Then run as non-privileged user:

rpmdev-setuptree

Example downloading source package and unpacking tree:

cd
yumdownloader --source selinux-policy-targeted
rpm -ivh selinux-policy-3.14.3-128.el8_9.1.src.rpm 
sudo yum-builddep selinux-policy-targeted
rpmbuild -bp ~/rpmbuild/SPECS/selinux-policy.spec 
# see ~/rpmbuild/BUILD

Example building Midnight Commander RPM:

cd
yumdownloader --source mc
rpm -ivh mc-4.8.19-9.el8.src.rpm
sudo yum-builddep mc

 Problem:  No matching package to install: 'aspell-devel'

dnf search -v --repo '*' aspell-devel

  aspell-devel.i686 : Libraries and header files for Aspell development
  Repo        : powertools
  Matched from:
  Provide    : aspell-devel = 12:0.60.6.1-22.el8

# tried just --repo powertools but there was enother missing dependency:
sudo dnf install --repo '*' aspell-devel
sudo yum-builddep mc

# this command will rebuild both src.rpm and arch.rpm:
rpmbuild -ba ~/rpmbuild/SPECS/mc.spec

# rpms stored to ~/rpmbuild/SRPMS/ and ~/rpmbuild/RPMS/x86_64/

Or you can enable powertools (and its deps) repo permamently with:

sudo dnf config-manager --enable powertools

Firewalld

Firewalld (CLI firewall-cmd) has its own logic that makes things difficult:

First - log at least unicast rejects (rejected access to single IP address)

firewall-cmd --set-log-denied=unicast

Task:

• restrict SSH access to single IP address
• allow other (for example http) for all IP addresses

There are 2 choices

• see https://docs.rockylinux.org/guides/security/firewalld-beginners/
• 1. using "rich rule"
• 2. using new zone

Let's try new zone:

• we will combine:
  • https://www.tecmint.com/open-port-for-specific-ip-address-in-firewalld/
  • https://docs.rockylinux.org/guides/security/firewalld-beginners/

firewall-cmd --new-zone=trusted-ssh --permanent
# replace 192.168.X.Y/32 with allowed client IP
firewall-cmd --zone=trusted-ssh --add-source=192.168.X.Y/32 --permanent
firewall-cmd --permanent --zone=trusted-ssh --add-service=ssh
firewall-cmd --zone=trusted-ssh --list-all --permanent

# Removed empty entries:
trusted-ssh (active)
  target: default
  icmp-block-inversion: no
  sources: 192.168.X.Y/32
  services: ssh
  forward: no
  masquerade: no

# now we have to remove ssh from public
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --list-all

public
  target: default
  icmp-block-inversion: no
  services: cockpit dhcpv6-client

# now ensure that you have backup connection and run:
firewall-cmd --reload
firewall-cmd --get-active-zone

public
  interfaces: eth0
trusted-ssh
  sources: 192.168.X.Y/32

To see real rules you can try this command:

# very long output:
nft list ruleset

Example adding logging rule:

• https://www.suse.com/support/kb/doc/?id=000020833
• WARNING! On Alma 8 normal firewalld rules use NF tables, but Direct rules use iptables (!) However it somehow seems to work..

Here is an experimental rule to log all incoming connections from remote to this host:

# for IPv4
firewall-cmd --direct --add-rule ipv4 filter INPUT  0 -m conntrack \
  --ctstate NEW,UNTRACKED  -j LOG --log-prefix "INPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter INPUT  0 -m conntrack \
 --ctstate NEW,UNTRACKED  -j LOG --log-prefix "INPUTv6 " --log-level 4

Use dmesg to see logged packets. Note: logs also UDP stuff (because connection tracking is watching also these - for example for NAT support)

Experimental rule to track all outgoing connections (noisy!):

# for IPv4
firewall-cmd --direct --add-rule ipv4 filter OUTPUT  0 -m conntrack \
   --ctstate NEW,UNTRACKED  -j LOG --log-prefix "OUTPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter OUTPUT  0 -m conntrack \
   --ctstate NEW,UNTRACKED  -j LOG --log-prefix "OUTPUTv6 " --log-level 4

Troubleshooting:

• follow: https://github.com/firewalld/firewalld/issues/440
• and set in /etc/firewalld/firewalld.conf

  IndividualCalls=yes

• and restart firewalld: systemctl restart firewalld