CentOS 6.5 Equivalents In CentOS 7

Home » CentOS » CentOS 6.5 Equivalents In CentOS 7
CentOS 27 Comments

I tried to install CentOS 7 on a new system. It works.

However, I’m noticing small things:
1. system-config-network-tui is not installed and yum cannot find it. I
realized for this — nmtui

What about firewall? I can’t seem to understand the replacement from system-config-firewall-tui

Jason

27 thoughts on - CentOS 6.5 Equivalents In CentOS 7

  • so I figured this out, I think:

    firewall-cmd –zone=public –add-port(88/tcp –permanent

    but if is a known service, you can use:

    firewall-cmd –zone=public –add-service=http –permanent

    and then reload the firewall

    firewall-cmd –reload

  • Thanks Marko for the reply.

    Soo I changed my SSH port in sshd_config and did: systemctl restart sshd.service. I then did:

    firewall-cmd –add-port=port/tcp firewall-cmd –permanent –add-port=port/tcp firewall-cmd –reload and for safety: systemctl restart firewalld

    and I get a connection:refused.

    so I decided to do systemctl stop firewalld

    and try again, still connection refused.

    Commented out the port line in sshd_config (so back to 22) and restart, works.

    so I am confused as to what is happening. I have done this 100 times in CentOS 6.x

  • selinux is set to only allow sshd to listen on port 22, you need to do something like:
    semanage port -a -t ssh_port_t -p tcp 2222

    Peter

  • yes, so I just figured out. Thank you so much. Where does `semanage` come from? I tried policycoreutils-python but it cannot be found.

  • iptables -A table-name -p tcp –dport 80 -j ACCEPT

    No reboot needed. ‘table-name’ can be INPUT or another user defined table name.

    firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.

  • You can turn off firewalld and use iptables if that is the desire. That is what I have done on my test machines.

    Some of us old farts don’t do well with change :D

  • If you compare the syntax of the two equivalent commands,

    iptables -I INPUT -p tcp –dport 80 -j ACCEPT

    and

    firewall-cmd –add-service=http

    I’d say that the second one appears simpler, more readable, more intuitive, and less sensitive to typos. No reboot is required for either. I fail to see what is so unappealing to a user in the second one. I don’t know who is a “normal firewall user”. Finally, I don’t see any Windows-like syntax in the second one (AFAIK, Windows doesn’t have any syntax, you need to click your way through menus and checkboxes and stuff to tweak the firewall in Windows).

    Incidentally, since I started using Linux I have always found iptables to have a very user-unfriendly syntax. Whenever I needed to tweak the firewall, I had to look up the man page for iptables, in order to make sure I don’t screw myself over between -A and -I, -N and -n, -P and -p, etc. It was a royal pain having to pay attention to the order of the rules in the table. It was stupid having to look up explicit port numbers for common services. Various GUIs and TUIs of the time only added a whole new level of obscurity.

    So I find the firewall-cmd syntax to be a major step forward wrt to iptables. At least for the vast majority of common usecases.

    And no, I am not a novice user from Windowsland — I’ve been Linux-only since RedHat 6.2 (Zoot), back in the previous millennium… ;-)

    Best, :-)
    Marko

  • Yes, it is there:

    policycoreutils-python-2.2.5-11.el7_0.1.x86_64 : SELinux policy core python utilities Repo : @updates Matched from:
    Filename : /sbin/semanage

    HTH, :-)
    Marko

  • Hi Marko,

    I started a few years earlier about the time of CentOS 5.3

    The order of rules in any IPtables table is pure common sense and very logical. Essentially, the first rule is the first action. The second rule is the second action etc.

    Generally, in simple terms, a rule can block, accept or permanently go to another table (go) or perform another table (jump).

    -A = append at the end of a table
    -I = insert into a table at a specified line number (default line 1)
    -N = create new table
    -Z = zeroise a table’s count (and in later editions the count on an individual table entry)
    -F = delete all a table’s entries
    -p = tcp/icmp/udp etc.

    I created helpful routines and abbreviations:

    ipt = iptables

    .i iptables -nvL $1 –line-numbers echo ‘—-> ‘$1;

    sv = service, used in ‘sv ipt save’

    Linux is extremely customisable.

    The firewall-cmd syntax appears to me to be dumbing-down and de-skilling. It hides the technical information behind the command, to the detriment of the technical user.

    In IPtables

    -A 4web -p tcp –dport 81 -j ACCEPT

    In firewall-cmd

    firewall-cmd –add-service=http

    but that refers to port 80. Hence IPtables is a lot more flexible. The contrast is like playing a piano without gloves and then wearing boxing gloves – the precision has vanished.

    An informed user derives more from his computer system than someone who uses the ‘dumb-down’ simplified pre-packaged alternative – especially when there is a problem.

  • Ugh. Very unappealing. I am so happy to be on CentOS 5 and 6. :-)

    How does one modify that Windoze rule ? In IPtables,

    -R 4web 5 -p tcp –dport 888 -s 192.168.2.1/23 -j ACCEPT

  • That will only work if you want to permit from source addresses in the
    192.168.2.1 and 192.168.3.1 netblocks. I think you want a -s 192.168.1.1/23


    When I was first starting out in IT, I was transitioning from Comms Engineering, where I was mentored by one of the guy who helped build the PSTN telephone network in AU. The two things he hammered home to me where;

    * Always check the lines you’re working on, and then checking the numbers again.

    and

    * Always know how to use a different set of tools, because your preferred one may not be available when you need it the most.

  • At the moment this can be a solution. But one day this option will be gone, so at your leisure try to accommodate to new reality… whatever you think about it.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • netsh advfirewall firewall set rule name=”sshd” \
    new remoteip2.168.1.1/23

    Different? – Yes Difficult? – No more than anything else I’m unfamiliar with

  • Sure, I do know how it works. :-) However, the iptables requires me to think about it when specifying -I or -A every time I modify the rules. My beef is that in most situations I don’t really need to be bothered with that — if I want to open a http port, the machine should be the one to figure out where to put the rule. I want to be bothered with rule order only when I am doing something complicated enough, not for every firewall modification.

    I’d say that the vast majority of users never actually need to see that technical information. Most server deployments are standardized, and the user just wants to say “I have http, ssh, openvpn, dhcp… services running on this machine, open appropriate ports”. Only the more intricate configurations should require a learning curve.

    You seem to be pushing the argument that we should give up Office suites and force the user to write everything in TeX, since it is more powerful and exposes a lot more technical details to the user. But TeX
    comes with a steep learning curve, and the vast majority of people don’t really need it. Similarly, C is far more powerful then, say, Phyton or a bash script, so should we do all our scripting in C?

    I have a feeling that RedHat has some internal statistics coming from customer support channels, and that in 99% of the cases the question is
    “how do I open a firewall port for httpd”, while only in 1% of the cases the question is “I’m masquerading a subnet from one LAN, while I
    want trusted access for three machines from another LAN, but only through a customized sshd port, while everything else should go as usual, except for mail originating from a local server…”. So the idea is to adapt the firewall-cmd tool for the most common usecases, and not requre them to touch stuff “under the hood” for simple tasks.

    People who need complicated setups can either learn how to achieve that using firewall-cmd itself, or shut down firewalld and configure iptables manually. But this should be an exception, rather than a rule, IMHO.

    firewall-cmd –add-port

  • While I’m a long-time iptables user I will be the first to admit it is terribly difficult to work with. If you are starting from scratch firewall-cmd makes a lot of sense, just like realmd greatly simplifies the bind process to Active Directory.

    It’s good to know the underpinnings, but the bottom line is I need to get stuff done fast. To be honest, I very rarely dumping in iptables commands directly these days. It’s almost always done through puppet or copy/pasting to /etc/sysconfig/iptables for one-off’s pre RHEL 7. I’ve been using it for years but I doubt I could crank out a good webserver firewall config with appropriate logging/rate-limiting without looking up most of it. Almost everything is abstracted into syntax for config management engines like puppet now.

    I’m a fan of progress even if it’s a bit of a headache at first. But the most frustrating part of RHEL 7 has been the dramatic changes in syntax for pretty much every core process I do on a daily basis
    (systemd, firewalld, etc). For better or worse they are here to stay.

    -Iain

  • That was merely an idle example.

    Agree about getting it correct the first time, because corrections can be time consuming burdens.

    The more one knows technically, the easier it is to devise an alternative solution.

  • But only if one uses C7 at the point IPtables is dropped. Possibly a repo will supply it. CentOS users seem to like, if not adore, stability, persistence and as few changes as possible.

  • When I set-up a server, I devise the rules and the sub-systems that interface with IPtables and rarely change anything, except to empty
    (flush) the blocked IPs in the monthly banned table.

    Adding an extra facility is usually quick and easy. I know what I want and I instinctively know where I want the -I. Rarely do I use -A on an established table.

    IPtables is flexible, efficient and effective.

    Assuming the IPtables firewall is logically designed, it is very easy to see exactly where you need to place the command. Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall. firewalld is probably ideal for you, but I perfect the precision and flexibility of IPtables (perhaps because I am an assembler programmer at heart)

    No. Writing letters and playing with spreadsheets should be done with Libre Office.

    Use the best and most convenient tools relevant to the task. I use PHP
    for most programming work.

    It was an illustration of using http on a non-standard port. Very easy to do in IPtables. I have nothing running on 81.

    Time is finite. Having leant much, but not all, about IPtables I am reluctant to learn firewalld just to do what I can already do, elegantly, in IPtables.

    Why waste time and energy learning a different and unappealing method to do exactly what I can do already in IPtables ?

    Best wishes.

    An IPtables Fan :-)

  • Yes, and after all they both are the front end to the same kernel module…

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • With respect, having to learn new ways of accomplishing familiar tasks and being forced to discover and apply new solutions to problems long solved does not, in my opinion, make efficient use of limited and expensive resources. Namely said ‘lazy’ sysadmins time. Add to that the consideration that for small and medium size enterprises the ‘sysadmin’ often has many other duties more pertinent to earning income for his/her employer. SO resentment reasonably might be expected from some quarters, I think.

    That said, I have just started working with CentOS-7 and frankly I do not see what all the brouhaha is all about. The default Gnome desktop seems satisfactory to me. That opinion may change when I try and customize it somewhat but for now, meh. It looks to me like a pale imitation of the OSX
    desktop with the convenience of the launcher dock removed.

    The IPTables replacement is not particularly difficult to work with either. I
    will wait to form an opinion about systemd after I have some experience with it. I am hoping that it cannot be any worse than upstart.

    For now I have managed to get ZFS built and installed on the test box. This afternoon I will try and get the entire file-system converted to ZFS on a LUKS
    substrate and see if that works.

    The Lazy Sysadmin,

  • If you manage your systems through a configuration manage system like puppet, chef or bcfg2, managing the monolithic /etc/sysconfig/iptables is a pain. I ended up templating it, and having various group memberships define how the file is created from the template.

    One of the features firewalld brings is being able to place different configuration parts into separate files, to be incorporated into the firewall dynamically. This is a dev web host? It gets a zone letting only the developers access httpd. This other system is a production mysql server? Define the zone allowing the production application servers access to the mysql port. Have each configuration bundle that defines a service drop in a service definition.

LEAVE A COMMENT