Tag: Linux

  • thecweb to DB DP

    thecweb to DB DP

    I finally decided on CentOS and Cockpit for the VM Host. Which is quite surprising. I have naturally used RedHat Enterprise and clones at work for quite some time, but I haven’t given them another look since they first started with Cockpit, and man is it slick now. Some clarification I needed to arrive at this decision is what CentOS actually IS. It is basically a stable release of RHEL. The next upcoming release, so they give that out for free for people to test before they release it to paying customers. I did not know that it is made by RH engineers, and I never really saw myself ever using a RH derived distro since I abandoned them in the late 90s.

    Anyhoo, back to what this post is actually about, the DB migration. I was trying to come up with a clever name that rhymed with DB and DP came to mind, so we get this completely tasteless image and server name DBDP. If you are not familiar with the reference – then good – you’ve lived a good life.

    I configured the new VM Guest with 8 cores and 32 GB of RAM. This is probably overkill, but it will allow me to do stupid things and “probably” not take out my website db in the process.

    Ubuntu Server 24 LTS is the OS, and I’m switching from mysql to mariadb. Honestly, I don’t know why I even chose mysql. I wouldn’t have if I remembered that it was now owned by Oracle, part of the Sun acquisition. It is my opinion that Oracle was and continues to be everything that MS was made out to be during the anti-trust cases of the 90s. Actually, I just googled and it wasn’t settled until 2001, but it started in 1990.

    I just used the regular server netinstall iso I used for the old db server, only the 24 version, and so far I’ve just the mariadb-server package. Side note, /var/log/apt/history.log next time you can’t remember what you’ve installed with apt. I setup a winscp connection for root and copied over the keys for password-less login. Added a rule for mysql in the fancy-shmancy pit of cocks.

    Fire up DBeaver and connect to mariadb as root over SSH, so I can create a dev account on the DB.

    Which of course did not allow me to connect. Mariadb by default doesn’t even allow local connections over tcp/ip, I find after much confusion. So I add this to /etc/mysql/my.cnf.

    [mysqld]
    skip-networking=0
    skip-bind-address

    Same as mysql, accounts are tied to hosts, and root is tied to local host, so I still won’t be able to connect with root even over ssh, apparently. So I’ll create a development user that is close to root, and I managed to do it without much googling thanks to an earlier post.

    CREATE USER 'cwebdev'@'%' IDENTIFIED BY '*****';
    
    GRANT CREATE, ALTER, DROP, INSERT, UPDATE, DELETE, SELECT, REFERENCES, RELOAD on *.* TO 'cwebdev'@'%' WITH GRANT OPTION;

    Yay! DBeaver is connecting.

    And now it’s a few minutes until one am, and I’m hungry. Off to WhataBurger and then I’ll dick-around with loading info from that kasa power strip.

  • VM Host search continues

    VM Host search continues

    The cats weren’t around when I fed them yesterday. I noticed that the back porch light was on so I glanced out to take a look, around two in the morning I think.

    Anyhoo, I bought the vm host hardware and it is setup. Arch was way to much manual work, though it is ideal if I really want to do things MY way… But, MY way would be a gruesome sojourn into masochism, for nothing but LFS would really be my way, and if I don’t have time or patience for Arch, MY way isn’t feasible.

    So far, I’ve built the Arch system, Debian system with KVM/QEMU/Libvirt, Proxmox(disappointment for the hype), and I just started a Ubuntu server LTS build. Fucking Broadcom, killed another with their VMWare purchase. It would be some much easier to use ESXi.

  • Arch notes – post install config

    Arch notes – post install config

    This system is too butt-ass-naked to be useful, even just as a hypervisor, so more fuck’n around.

    more packages to install:
    sudo

    create user

    useradd -m frank
    passwd frank
    

    here I realize I don’t have a network connection

    en01 is now detected as eth0, for one, so edited /etc/systemd/network/20-wired.network to fix that.

    # enable NetworkManager
    systemctl enable NetworkManager
    systemctl start NetworkManager
    
    nmcli

    Sweet. where was I?

    I’ve got network, so I need ssh, because Hyper-V sucks for running linux. no copo pasto.

    pacman -S openssh
    systemctl enable sshd
    
    pacman -S sudo

    uncomment to allow users in wheel to sudo in /etc/sudoers

    usermod -G wheel frank

    finally, I can ssh in and copy and paste.

    list of more packages to install:

    posix wget zip unzip gzip libvirt qemu-base

  • Arch notes – basic setup

    Arch notes – basic setup

    https://wiki.archlinux.org/title/Installation_guide

    Testing out minimal distros to run my hypervisor. Debian is fine and light enough, but the server doesn’t come for at least another day, so I’ve got time. I’ve been hearing about Arch for ever and I haven’t really looked into it, but it sounds exactly like what I’m looking for.

    Arch boots into live cli environment, and then you have to manually partition the disk to start.

    So, how do I want to do this?

    Update the first partition must be the efi partition, and it cannot be in LVM, so do that first

    fdisk /dev/sda
    # g to create GPT table, n to make new, t to change type, and w to write
    g
    n
    +1G
    t
    uefi
    # make LVM partition
    n
    
    w

    We should end up with something like this

    Reddit has some ideas as usual. https://www.reddit.com/r/sysadmin/comments/1e4xnmq/linux_partition_scheme_recommendation_for_2024/

    Looks like this list from open-scap is a good start. The rest is just standard linux crap.

    • /boot – 2 GB
    • swap – 4 GB
    • / – 8 GB
    • /home – 2 GB
    • /var – 4 GB
    • /var/log – 4 GB
    • /var/audit – 4 GB
    • /var/tmp – 2 GB
    • /tmp – 8 GB

    reminder: pv = physical disk, vg = volume group, lv = logical volume

    # list all physical volumes
    lvmdiskscan
    
    # create pv
    pvcreate /dev/sda2
    
    # display pv
    pvdisplay
    
    # summary 
    pvscan

    vg

    # create volume group
    vgcreate rootVG /dev/sda
    
    # add another pv to vg
    vgextend rootVG /dev/sdc

    lv

    # create lv
    lvcreate -L 2G rootVG -n bootLV
    lvcreate -L 4G rootVG -n swapLV
    lvcreate -L 8G rootVG -n rootLV
    lvcreate -L 2G rootVG -n homeLV
    lvcreate -L 4G rootVG -n varLV
    lvcreate -L 4G rootVG -n varlogLV
    lvcreate -L 4G rootVG -n varauditLV
    lvcreate -L 2G rootVG -n vartmpLV
    lvcreate -L 8G rootVG -n tmpLV
    
    # create lv on specific pv
    lvcreate -L 10G VolGroup00 -n lvolhome /dev/sda

    mkfs

    # boot partition is FAT32 - efi mandates as a standard
    mkfs.fat -F 32 /dev/sda1
    mkfs.fat -F 32 /dev/rootVG/bootLV
    
    # swap
    mkswap /dev/rootVG/swapLV
    
    # the rest
    mkfs.ext4 /dev/rootVG/rootLV

    mount shit under /mnt. This better get less do-it-yourself real soon or I’m going back to debian. But, if I can slap these in a script I’ll be fine.

    # mount root filesystem
    mount /dev/rootVG/rootLV /mnt
    
    # make all those mf mount points you just had to have
    mount --mkdir /dev/rootVG/bootLV /mnt/boot
    mount --mkdir /dev/rootVG/varLV /mnt/var
          and so on...
    
    # enable swap
    swapon /dev/rootVG/swapLV

    Package list:

    base linux linux-firmware vim efibootmgr grub intel-ucode
    networkmanager dosfstools exfatprogs e2fsprogs ntfs-3g lvm2
    sshd sudo

    pacstrap -K /mnt base linux linux-firmware

    fstab

    # Generate an fstab file (use -U or -L for UUID or labels)
    genfstab -L /mnt >> /mnt/etc/fstab

    chroot to new install

    # fancy smancy arch version of chroot
    arch-chroot /mnt

    set a bunch of shit you normally never have to…

    # time zone
    ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
    
    # hw clock
    hwclock --systohc
    
    # Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8
    # fuck, install vim with 'pacman -S vim' if you forget it
    locale-gen
    
    # Create the locale.conf(5) file, and set the LANG variable accordingly
    echo LANG=en_US.UTF-8 >> /etc/locale.conf
    
    echo archkvm >> /etc/hostname

    net config

    # install Network Manager - nmcli
    pacman -S networkmanager
    
    # add this stuff to /etc/systemd/network/20-wired.network
    [Match]
    Name=en01
    
    [Link]
    RequiredForOnline=routable
    
    [Network]
    DHCP=yes

    initramfs

    # because we are using LVM we need to create a new initramfs.  Also needed for encryption and RAID.
    # edit /etc/mkinitcpio.conf
    # remove udev and replace with systemd
    # insert vlm2 between block and filesystems
    HOOKS=(base systemd ... block lvm2 filesystems)
    
    # rebuild image
    mkinitcpio -P
    
    # install lvm2 and rebuild again because it gave you an error about exactly that
    pacman -S lvm2
    mkinitcpio -P

    root password

    passwd

    install bootloader – I’m doing grub for now, but I may either put the /boot partition outside of LVM and load directly from UEFI.

    # install grub and efibootmgr (if you haven't already)
    pacman -S grub efibootmgr
    
    # mount efi partition
    mount --mkdir /dev/sda1 /boot/efi
    
    # install grub
    grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
    
    # make grub config
    grub-mkconfig -o /boot/grub/grub.cfg

    NOTE: it is here where you realize the efi partition can NOT be on an LVM partition, even though GRUB is fine with /boot being there. Starting over and updating notes. fml

    cross fingers and reboot

    # exit chroot
    exit
    
    umount -R /mnt
    
    reboot

    Aaaaannnd voila!!!

    The most basic-bitch linux distro I’ve ever seen. Well, except for LFS, and I guess Gentoo was possibly worse because you had to wait five hours of compiling to realize you fucked up. But this is what I wanted. A Hypervisor should be very minimal.

  • Raspberry Pi 5

    I finally got a Pi after hearing my cousin talk about it a few times over the past few days. I so far am amazed at the performance to price ratio. Below are benchmark results for it and the thecweb.com server(which is quite old really). For ~$125 it is a steal.

    Benchmarkthcweb.compi5
    CPU
    events per second
    1062.192730.24
    Memory
    MiB/sec
    6025.36 3649.76
    File IO read
    MiB/sec
    19.109.46
    File IO write
    MiB/sec
    12.736.31

    So, the pi5 appears to be much faster than the Intel Core i5-4570T running thecweb.com. But, not surprisingly the pi5 can’t compete with the memory and file io.

    Since it has 8 GB of RAM and CPU to spare, I installed all the recommended software when I copied the OS to the SD card. It comes with some lightweight window manager I don’t recognize and a few useful tools for updating the Pi and what not. Debian based to nothing new for me there. I moved the webcam over to it from thecweb.com and installed Motion. It seems to work fine.

    So far I really haven’t had much fun setting it up. Too easy. But, I’m sure I’ll be tearing my hair out once I get to the electrical side of things. It has been over 20 years since my time a Devry. And I was a real shitty student.

  • ITSM – GLPI – Installation

    ITSM – GLPI – Installation

    I have a couple fairly complicated and hopefully long-term projects I’d like to do, and things are much easier to work on if I have a good way to store information about various components and incidents, so I’m going to see how hard it is to roll my own install of GLPI(Gestionnaire Libre de Parc Informatique, or “Free IT Equipment Manager”).

    screenshot stolen from official docs

    Installation

    Downloaded this. Moved extracted folder to /var/www.

    Create directories for configs, data, and logs.

    • GLPI_CONFIG_DIR: set path to the configuration directory;
      • /etc/glpi
      • GLPI requires read rights on this directory to work; and write rights during the installation process.
      • copy the contents of the config directory to this place.
    • GLPI_VAR_DIR : set path to the files directory;
      • /var/lib/glpi
      • GLPI requires read and write rights on this directory.
      • copy the contents of the files directory to this place.
    • GLPI_LOG_DIR : set path to logs files.
      • /var/log/glpi
      • GLPI requires read and write access on this directory.

    Create a inc/downstream.php file into GLPI directory with the following contents:

    <?php
    define('GLPI_CONFIG_DIR', '/etc/glpi/');
    
    if (file_exists(GLPI_CONFIG_DIR . '/local_define.php')) {
       require_once GLPI_CONFIG_DIR . '/local_define.php';
    }

    Create a file in /etc/glpi/local_define.php with the following contents:

    <?php
    define('GLPI_VAR_DIR', '/var/lib/glpi');
    define('GLPI_LOG_DIR', '/var/log/glpi');

    Add info Apache virtual server. I’ll lock it down to my local network, so this won’t be accessible from the internet for now. Added to /etc/apache2/sites-enabled/glpi.conf.

    <VirtualHost *:80>
            ServerName glpi
    
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/glpi/public
    
            ErrorLog ${APACHE_LOG_DIR}/glpi-error.log
            CustomLog ${APACHE_LOG_DIR}/glpi-access.log combined
    
        # If you want to place GLPI in a subfolder of your site (e.g. your virtual host is serving multiple applications),
        # you can use an Alias directive. If you do this, the DocumentRoot directive MUST NOT target the GLPI directory itself.
        # Alias "/glpi" "/var/www/glpi/public"
    
        <Directory /var/www/glpi/public>
            Require all granted
    
            RewriteEngine On
    
            # Ensure authorization headers are passed to PHP.
            # Some Apache configurations may filter them and break usage of API, CalDAV, ...
            RewriteCond %{HTTP:Authorization} ^(.+)$
            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
            # Redirect all requests to GLPI router, unless file exists.
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>
    
    
    </VirtualHost>

    I of course had to add an entry for glpi in the hosts file on my laptop for this to work.

    Looks like it’s installed!

  • OpenWRT

    I got bored last night and started researching OpenWRT. There is no particular feature that it supports, that my current router firmware doesn’t, but I haven’t looked into the project in at least 10 years.

    I currently run an ASUS AX-3000, which I bought because I thought my old Netgear X8 R8300 was malfunctioning, but when I had the same issue with the ASUS, I found it was a config problem. Since the Netgear is just sitting in the basement, I though I’d install OpenWRT on that first and then see if it’s worth it to install on the ASUS. The Netgear is a little more high end of a router, but it doesn’t have WiFi 6. The ASUS does, but has one less radio, so I’ll need to see how they perform.

    Unfortunately, neither router has images prebuilt for it, so I had to build my own image. Luckily there was already a profile for an R8500, which hardware wise is almost identical to the model I have.

    The build environment setup and instructions can be found here. It was a simple matter of firing up a Ubuntu VM and following along. I can’t flash it while I’m at work, so that will have to wait.

    The most annoying thing with getting this setup is how confusing the OpenWRT documentation is. I can see why they would organize it this way. It seems to me that unless you have a router that one of the maintainers owns, you are left with manual. Even though it’s just linux, so you really just need the hardware support to get up and running. I would think a more broad generic image to test things would make more sense. Oh well.

    cweb@testvmhost:~/openwrt-imagebuilder-bcm53xx-generic.Linux-x86_64$ make image \
    PROFILE="netgear_r8500"
    Generate local signing keys...
    WARNING: can't open config file: /builder/shared-workdir/build/staging_dir/host/etc/ssl/openssl.cnf
    WARNING: can't open config file: /builder/shared-workdir/build/staging_dir/host/etc/ssl/openssl.cnf
    read EC key
    writing EC key
    Checking 'true'... ok.
    Checking 'false'... ok.
    Checking 'working-make'... ok.
    Checking 'case-sensitive-fs'... ok.
  • Guacamole – Road to MFA – TOTP

    Guacamole – Road to MFA – TOTP

    Well, that was easy. I literally just copied over the jar file and restarted guacd, apache2, and tomcat9. After that I just logged out and back in to enroll in TOTP.

    I did find unfortunately that the KeePass app I’m using on Android doesn’t seem to sync things both ways. Entries I create on my phone do not see to be able to sync to google drive, but that just took me a second to work around. It’s not really a big deal but it meant I had to manually enter in the secret key and such. Guac TOTP supports QR codes, and I was able to add it with my phone, but wasn’t able to get it to sync back to my computer(after five minutes of trying). That may be a project for another day.

  • Guacamole – Road to MFA – DB auth

    Guacamole – Road to MFA – DB auth

    I’ve decided with all the convience features I’ve got setup on the computers I remote into, that I should probably attempt to setup TOTP on the site to improve the security of the system. The password and username I use hasn’t been involved in any leaks that I know of, and both are unique to the site, plus you’d need the passwords to the actual computers too, but I figure it’s better safe than sorry.

    The first step is to configure a database authentication extension. One nice thing about this change is that it will allow me to modify connections and user settings in the web interface, instead of connecting to SSH and modifying an XML file, and then restarting guacd.

    The first step is to install the JDBC connector for mysql, which went without a hitch with

    sudo apt install /media/store/mysql-connector-j_9.1.0-1ubuntu24.04_all.deb

    Now to create the database, which they are providing scripts to create the schema which saves a whole lot of copy/pasting. So, sign into mysql as root, create the DB, and import the schema.

    cweb@thecweb:/media/store/mysql$ sudo mysql -u root
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 3362
    Server version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)
    
    Copyright (c) 2000, 2024, Oracle and/or its affiliates.
    
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    mysql> CREATE DATABASE guacamole_db;
    Query OK, 1 row affected (0.01 sec)
    
    mysql> show databases;
    +--------------------+
    | Database           |
    +--------------------+
    | cwOLzion           |
    | guacamole_db       |
    | information_schema |
    | mysql              |
    | performance_schema |
    | sys                |
    | wordpress          |
    +--------------------+
    7 rows in set (0.00 sec)
    
    mysql> quit
    Bye
    cweb@thecweb:/media/store/mysql$ cat schema/*.sql | sudo mysql -u root guacamole_db
    cweb@thecweb:/media/store/mysql$

    Create the DB user.

    cweb@thecweb:/media/store/mysql$ sudo mysql -u root
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 3371
    Server version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)
    
    Copyright (c) 2000, 2024, Oracle and/or its affiliates.
    
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '****';
    Query OK, 0 rows affected (0.02 sec)
    
    mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
    Query OK, 0 rows affected (0.01 sec)
    
    mysql> FLUSH PRIVILEGES;
    Query OK, 0 rows affected (0.00 sec)

    Seems like that went welll, so copying over the JDBC driver and guac extension.

    cweb@thecweb:/media/store/mysql$ sudo cp guacamole-auth-jdbc-mysql-1.5.5.jar /etc/guacamole/extensions/
    cweb@thecweb:/usr/share/java$ sudo mkdir /etc/guacamole/extensions/lib
    cweb@thecweb:/usr/share/java$ sudo cp mysql-connector-j-9.1.0.jar /etc/guacamole/extensions/lib/

    No surprises there, but I’m going to heed this warning message about restarting guac, because I’m at work and I don’t want to kill my session if I have something configured or installed incorrectly.

    It’s config time

    not sure this really applies since I’ve been using vi since the late 1900s

    The basic config is just telling guacd how to connect to the DB, so we just need to specify the DB server, DB, user, and password. So creating the /etc/guacamole/guacamole.properties and adding that info.

    # MySQL properties
    mysql-hostname: localhost
    mysql-database: guacamole_db
    mysql-username: guacamole_user
    mysql-password: ******

    And that is it for now. I need to restart the servlet, which will disconnect me, and if I configured things incorrect, also prevent me from signing back in. I’m going to research cooking a turkey for now, and maybe later I will see if this is working. I can always poke holes in the firewall for SSH, and forward port 22, but I’d rather not just because of the immediate hacking attacks that will likely insue.

    Part 2

    Ok, I got bored with reddit so I poked some holes for SSH and restarted everything, and it came back up fine. Looking at /var/log/auth.log, I was a little surprised to find my paranoia was unfounded and I didn’t see a single authentication attempt during the five minutes my stupid little SSH server was accessible from the internet. Though, I guess it’s pretty unlikely that I would happened to be scanned during that short amount of time.

    Now for the bad news… I can’t sign in with the guacadmin account it supposedly created in the DB. To the log files!

    I checked the mysql log first, and found not connection attempts. I then checked the tomcat logs and found that the JDBC driver is not loading for some reason.

    [2024-11-08 06:41:39] [info] 06:41:39.629 [main] ERROR o.a.g.extension.ProviderFactory - authentication provider extension failed to start: No JDBC driver for MySQL/MariaDB is installed.

    So I first go to check permissions on the file and realize that I copied the jar file to /etc/guacamole/extensions/lib instead of /etc/guacamole/lib, so fixing that and restarting everything again.

    And it works! I had to recreate my user account and all the connections, but it was a lot easier with the admin GUI.

    Fancy that!

    Taking another break to read about TOTP setup and reddit.

  • Enabling firewall on the ol’ webserver

    Enabling firewall on the ol’ webserver

    This evening at work I have decided to enable the firewall on my webserver. It is ofcourse already behind my network firewall, but if one of my other devices gets hack or something, it could become a target. I have been meaning to do it for a while now, but it’s probably been tweenty years since I’ve used iptables to do anything. And Ubuntu has a handly little utility called Uncomplicated Firewall(ufw), which is just a configuration system for iptables. And in keeping with linux development over the last couple decades, this new easier configuration comes with all these lovely config files!

    Since I’m doing this at work, I have to make sure I’ve got all the rules configured correctly, or I risk being blocked for the rest of the work shift, so gotta dot my t’s and cross my eye’s.

    Checking current config

    /etc/default/ufw only had a couple things I might need to change, which are listed below.

    # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
    # you change this you will most likely want to adjust your rules.
    DEFAULT_INPUT_POLICY="DROP"
    
    # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
    # you change this you will most likely want to adjust your rules.
    DEFAULT_OUTPUT_POLICY="ACCEPT"
    
    # Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
    # if you change this you will most likely want to adjust your rules
    DEFAULT_FORWARD_POLICY="DROP"
    
    # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
    # note that setting this to ACCEPT may be a security risk. See 'man ufw' for
    # details
    DEFAULT_APPLICATION_POLICY="SKIP"
    

    The .rules files I checked just had some common sense stuff, but I haven’t found a “Drop All” command anywhere in the files. I really need to know if this is configured for default deny or allow, because that changes the order I need to add rules. I’m assuming it’s processed last. I attempted to just enable the firewall but I got a message that it may disconnect my ssh session, so I’ve decided to enter the rules I know I need and hope I don’t get blocked when I enable it.

    So, building the commands to add the rules I need, which is HTTP(S) for the webserver, SSH to configure the webserver, and I’ll add some rules for RDP and Samba later, though I’m not sure I really need to because it’s acting as client. Apache and SSH are already defined as applications in /etc/ufw/applications.d.

    # add rule for SSH
    sudo ufw allow from 192.168.0.0/24 to any app OpenSSH
    
    #add rule for Apache
    sudo ufw allow from any to any app "Apache Full"
    
    Unfortunately, it doesn't all me to run the status command without enabling the firewall, so I may have 7-8 hours of boredom if this goes titts up.

    Wow, I wasn’t disconnected, so I did things right, or it’s just not blocking anything at all. Time to check the log.

    Nothing but this error, so I think I’m good. Not sure why my router is sending this shit, but I’m guessing it’s UNPNP or Multicast something or other. It logs this every 20 seconds.

    2024-10-20T04:25:18.125010+00:00 thecweb kernel: [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:c8:7f:54:90:f5:d8:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=11284 DF PROTO=2

    I’m kind of surpised neither my SSH, RDP, or Apache/Tomcat lost connection when I turned it on, but things seem to be working perfectly…

    The status command certialy looks like I did what I inteneded…

    cweb@thecweb:/var/log$ sudo ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    80/tcp                     ALLOW IN    Anywhere
    443/tcp                    ALLOW IN    Anywhere
    22/tcp (OpenSSH)           ALLOW IN    192.168.0.0/24
    80,443/tcp (Apache Full)   ALLOW IN    Anywhere
    80/tcp (v6)                ALLOW IN    Anywhere (v6)
    443/tcp (v6)               ALLOW IN    Anywhere (v6)
    80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)

    One last setting to enable at boot and I’m done. Oh, well actually, it turns out that /etc/ufw/ufw.conf is automatically updated to start on boot with the ufw enable command. Cool.