Mike
2017-Jan-16 21:58 UTC
[CentOS] NetworkManager vs. Firewalld vs. /etc/sysconfig/network-scripts/ifcfg-*****
I've made 3 CentOS 7 installation attempts to configure a simple firewall/router box with 2 nics. I got myself into a circular scenario where NetworkManager and firewalld and /etc/sysconfig/network-scrpts/ifcfg-***** were interfering or overwriting each other. Needed to perform ifdown enp3s7 on the internal LAN nic in order to make the external internet enp2s0 reach websites and ping nameservers. After completing firewall-cmd --complete-reload the internal LAN nic would still provide private ip addresses via dhcpd server but LAN clients could not access the internet. So far these steps work to enable both nics to provide router and firewall services: 1. sysctemctl stop NetworkManager 2. systemctl disable NetworkManager 3. Create dhcp ifcfg-***** for external interface. It must include a ?ZONE=external? statement even though firewalld service will overwrite and erase it like this ?ZONE=? Example (external/internet nic): Code: TYPE=Ethernet BOOTPROTO=dhcp NM_CONTROLLED=no DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=enp2s0 UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx DEVICE=enp2s0 ONBOOT=yes PEERDNS=yes PEERROUTES=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes ZONE=external 4. Create static ip address ifcfg-enp3s7 for internal interface. Example (internal/LAN nic): Code: TYPE=Ethernet BOOTPROTO=static NM_CONTROLLED=no DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=enp3s7 UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx DEVICE=enp3s7 ONBOOT=yes HWADDR=xx:xx:xx:xx:xx:xx DNS1=75.75.75.75 DNS2=75.75.76.76 IPADDR=10.10.1.1 NETMASK=255.255.255.0 PREFIX=24 GATEWAY=10.10.1.1 IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_PRIVACY=no ZONE=internal 5. As said in #3, firewalld will erase the ZONE setting on the external nic configured for dhcp. The only way I've found to deal with this overwriting is to make the intended external ethernet device associated with the default zone in firewalld. When firewalld reads the empty zone reference "ZONE=____" it will revert and assign the default zone I set like this --- Code: firewall-cmd --change-interface=enp2s0 --zone=external --permanent firewall-cmd --set-default-zone=external firewall-cmd --complete-reload 6. The external ethernet device won?t work (cannot ping any internet host) until you manually Deactivate it and then Reactivate it. ~# ifdown enp2s0 ~# ifup enp2s0 I didn't include my dhcpd server settings or firewalld settings for brevity. Please let me know if those would be helpful. Although the steps above work, it's definitely not ideal. If I need to reboot the routerbox remotely, I won't be able to access it again to perform the necessary ifdown/ifup routine to enable input/output/forward through the external interface. Any guidance on how to make this work is greatly appreciated. Kind regards.
I have a file on a Centos 6.8 server that I want to download to another Centos 6.8 box in a remote location. rsync used to work fine from within a shell script run by cron using ssh and having set up passwordless login on each machine the script runs fine from the command line, but not when run by cron the crontab is owned and operated by root. has something changed in cron? has there been an update? Have looked in all the usual places. any help/suggestions? regards Robert -- *Communication Consultants* 64 Warner Park Avenue Laingholm Auckland 0604 09 8176358 0221693124 06 650 6087
> has something changed in cron? > has there been an update? > Have looked in all the usual places. > > any help/suggestions?The environment maybe, enable debug output on the job and redirect or make sure the output is logged or picked up and mailed to you. More than likely the ssh config that used to work no longer does. For example you had a custom section for a host in ~/.ssh/config that is no longer valid or that file is not even being read etc... jlc