その2のつづき
せ7> cat /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
せ7> systemctl -l status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-02-02 22:48:03 PST; 11min ago
Docs: man:firewalld(1)
Main PID: 597 (firewalld)
CGroup: /system.slice/firewalld.service
mq597 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 02 22:48:00 chinko.giveadream.jp systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 02 22:48:03 chinko.giveadream.jp systemd[1]: Started firewalld - dynamic firewall daemon.
せ7> lsmod | egrep -i "tables|filter|nf"
nf_nat_masquerade_ipv4 13412 1 ipt_MASQUERADE
ip6t_rpfilter 12595 1
nf_reject_ipv4 13373 1 ipt_REJECT
nf_reject_ipv6 13717 1 ip6t_REJECT
nfnetlink 14696 1 ip_set
nf_conntrack_ipv6 18894 7
nf_defrag_ipv6 35104 1 nf_conntrack_ipv6
nf_nat_ipv6 14131 1 ip6table_nat
nf_conntrack_ipv4 19108 7
nf_defrag_ipv4 12729 1 nf_conntrack_ipv4
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26147 3 nf_nat_ipv4,nf_nat_ipv6,nf_nat_masquerade_ipv4
nf_conntrack 111302 7 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_conntrack_ipv6
ebtable_filter 12827 1
ebtables 35009 3 ebtable_broute,ebtable_nat,ebtable_filter
ip6table_filter 12815 1
ip6_tables 26901 5 ip6table_filter,ip6table_mangle,ip6table_security,ip6table_nat,ip6table_raw
iptable_filter 12810 1
nfit 39625 0
libnvdimm 126631 1 nfit
nfsd 333626 1
auth_rpcgss 59323 1 nfsd
nfs_acl 12837 1 nfsd
lockd 93573 1 nfsd
grace 13515 2 nfsd,lockd
sunrpc 334343 7 nfsd,auth_rpcgss,lockd,nfs_acl
ip_tables 27115 5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
せ7> systemctl stop firewalld
せ7> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Fri 2018-02-02 23:05:02 PST; 8s ago
Docs: man:firewalld(1)
Process: 598 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 598 (code=exited, status=0/SUCCESS)
Feb 02 23:03:02 chinko.giveadream.jp systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 02 23:03:09 chinko.giveadream.jp systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 02 23:05:02 chinko.giveadream.jp systemd[1]: Stopping firewalld - dynamic firewall daemon...
Feb 02 23:05:02 chinko.giveadream.jp systemd[1]: Stopped firewalld - dynamic firewall daemon.
せ7> lsmod | egrep -i "tables|filter|nf"
nfnetlink 14696 1 ip_set
nfit 39625 0
libnvdimm 126631 1 nfit
nfsd 333626 1
auth_rpcgss 59323 1 nfsd
nfs_acl 12837 1 nfsd
lockd 93573 1 nfsd
grace 13515 2 nfsd,lockd
sunrpc 334343 7 nfsd,auth_rpcgss,lockd,nfs_acl
せ7> cat /etc/systemd/system/basic.target.wants/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network.target
Before=libvirtd.service
Before=NetworkManager.service
After=dbus.service ←これをfirewalldの後に起動する
After=polkit.service ←これはなんか無い
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service ←iptabelsサービスと競合するんご
Documentation=man:firewalld(1)
[Service]
EnvironmentFile=-/etc/sysconfig/firewalld
ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
[Install]
WantedBy=basic.target
Alias=dbus-org.fedoraproject.FirewallD1.service
ちなみに、上記でfirewalldの後に起動しなくてはいけないサービスは
polkitとdbus
せ7> cat /usr/lib/systemd/system/polkit.service
[Unit]
Description=Authorization Manager
Documentation=man:polkit(8)
←後に起動するものなし
[Service]
Type=dbus
BusName=org.freedesktop.PolicyKit1
ExecStart=/usr/lib/polkit-1/polkitd --no-debug
せ7> cat /usr/lib/systemd/system/dbus.service
[Unit]
Description=D-Bus System Message Bus
Requires=dbus.socket
After=syslog.target ←後にsyslogを起動しないといけないけどシカト
[Service]
ExecStart=/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
ExecReload=/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900
【検証1】firewalldを上記の依存関係を無視して落とし上げしてみる
せ7> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-02-02 23:29:30 PST; 20s ago
Docs: man:firewalld(1)
Main PID: 56574 (firewalld)
CGroup: /system.slice/firewalld.service
mq56574 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 02 23:29:29 chinko.giveadream.jp systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 02 23:29:30 chinko.giveadream.jp systemd[1]: Started firewalld - dynamic firewall daemon.
せ7> systemctl status dbus
● dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
Active: active (running) since Fri 2018-02-02 23:42:21 PST; 12min ago
Main PID: 539 (dbus-daemon)
CGroup: /system.slice/dbus.service
tq 539 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
mq2367 /usr/sbin/abrt-dbus -t133
Feb 02 23:42:38 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 02 23:42:38 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 02 23:42:38 chinko.giveadream.jp dbus[539]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedeskt...service'
Feb 02 23:42:38 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='...service'
Feb 02 23:42:38 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb 02 23:42:38 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb 02 23:54:35 chinko.giveadream.jp dbus[539]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Feb 02 23:54:35 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Feb 02 23:54:35 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.problems'
Feb 02 23:54:35 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.problems'
Hint: Some lines were ellipsized, use -l to show in full.
せ7> systemctl status polkit
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
Active: active (running) since Fri 2018-02-02 23:42:34 PST; 12min ago
Docs: man:polkit(8)
Main PID: 573 (polkitd)
CGroup: /system.slice/polkit.service
mq573 /usr/lib/polkit-1/polkitd --no-debug
Feb 02 23:42:32 chinko.giveadream.jp systemd[1]: Starting Authorization Manager...
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Started polkitd version 0.112
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Loading rules from directory /etc/polkit-1/rules.d
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 02 23:42:34 chinko.giveadream.jp polkitd[573]: Finished loading, compiling and executing 6 rules
Feb 02 23:42:34 chinko.giveadream.jp systemd[1]: Started Authorization Manager.
Feb 02 23:42:34 chinko.giveadream.jp polkitd[573]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
せ7> systemctl restart firewalld
せ7> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-02-02 23:56:34 PST; 9s ago
Docs: man:firewalld(1)
Main PID: 2475 (firewalld)
CGroup: /system.slice/firewalld.service
mq2475 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --destin... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --source... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-int... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --out-in... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-int... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-inter... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-inter... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-int... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-inter... failed:
Feb 02 23:56:35 chinko.giveadream.jp firewalld[2475]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-inter... failed:
Hint: Some lines were ellipsized, use -l to show in full.
→てへぺろった
せ7> systemctl status dbus
● dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
Active: active (running) since Fri 2018-02-02 23:42:21 PST; 15min ago
Main PID: 539 (dbus-daemon)
CGroup: /system.slice/dbus.service
mq539 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
Feb 02 23:42:38 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb 02 23:42:38 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb 02 23:54:35 chinko.giveadream.jp dbus[539]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Feb 02 23:54:35 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Feb 02 23:54:35 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.problems'
Feb 02 23:54:35 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.problems'
Feb 02 23:54:56 chinko.giveadream.jp dbus[539]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freed...service'
Feb 02 23:54:56 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' un...service'
Feb 02 23:54:56 chinko.giveadream.jp dbus[539]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 02 23:54:56 chinko.giveadream.jp dbus-daemon[539]: dbus[539]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Hint: Some lines were ellipsized, use -l to show in full.
せ7> systemctl status polkit
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
Active: active (running) since Fri 2018-02-02 23:42:34 PST; 15min ago
Docs: man:polkit(8)
Main PID: 573 (polkitd)
CGroup: /system.slice/polkit.service
mq573 /usr/lib/polkit-1/polkitd --no-debug
Feb 02 23:42:32 chinko.giveadream.jp systemd[1]: Starting Authorization Manager...
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Started polkitd version 0.112
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Loading rules from directory /etc/polkit-1/rules.d
Feb 02 23:42:33 chinko.giveadream.jp polkitd[573]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 02 23:42:34 chinko.giveadream.jp polkitd[573]: Finished loading, compiling and executing 6 rules
Feb 02 23:42:34 chinko.giveadream.jp systemd[1]: Started Authorization Manager.
Feb 02 23:42:34 chinko.giveadream.jp polkitd[573]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 02 23:56:33 chinko.giveadream.jp polkitd[573]: Registered Authentication Agent for unix-process:2429:86278 (system bus name :1.36 [/usr/bin/pk...S.UTF-8)
Feb 02 23:56:34 chinko.giveadream.jp polkitd[573]: Unregistered Authentication Agent for unix-process:2429:86278 (system bus name :1.36, object pa...rom bus)
Hint: Some lines were ellipsized, use -l to show in full.
もう一度順序性を守ってやってみるんご
つまり、dbus、polkit停止→firewalld再起動→dbus、polkit起動
せ7> systemctl stop dbus
Warning: Stopping dbus.service, but it can still be activated by: ←???
dbus.socket
せ7> systemctl stop polkit
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.
せ7> systemctl status dbus
● dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
Active: active (running) since Sat 2018-02-03 00:03:58 PST; 7s ago
Main PID: 2870 (dbus-daemon)
CGroup: /system.slice/dbus.service
mq2870 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Started D-Bus System Message Bus.
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Starting D-Bus System Message Bus...
Feb 03 00:03:58 chinko.giveadream.jp dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Feb 03 00:03:58 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' uni...service'
Feb 03 00:03:58 chinko.giveadream.jp dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 03 00:03:58 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Hint: Some lines were ellipsized, use -l to show in full.
せ7> systemctl status polkit
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
Active: inactive (dead) since Sat 2018-02-03 00:03:58 PST; 22s ago
Docs: man:polkit(8)
Process: 2873 ExecStart=/usr/lib/polkit-1/polkitd --no-debug (code=killed, signal=TERM)
Main PID: 2873 (code=killed, signal=TERM)
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Starting Authorization Manager...
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Started polkitd version 0.112
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Loading rules from directory /etc/polkit-1/rules.d
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Finished loading, compiling and executing 6 rules
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Started Authorization Manager.
Feb 03 00:03:58 chinko.giveadream.jp polkitd[2873]: Registered Authentication Agent for unix-process:2867:130756 (system bus name :1.1 [/usr/bin/p...S.UTF-8)
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Stopping Authorization Manager...
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Stopped Authorization Manager.
Hint: Some lines were ellipsized, use -l to show in full.
せ7> systemctl restart firewalld
せ7> systemctl start dbus
せ7> systemctl start polkit
せ7> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2018-02-03 00:07:38 PST; 43s ago
Docs: man:firewalld(1)
Main PID: 2935 (firewalld)
CGroup: /system.slice/firewalld.service
mq2935 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 03 00:07:38 chinko.giveadream.jp systemd[1]: Starting firewalld - dynamic firewall daemon... ←ブート直後と同じ
Feb 03 00:07:38 chinko.giveadream.jp systemd[1]: Started firewalld - dynamic firewall daemon. ←ブート直後と同じ
せ7> systemctl status dbus
● dbus.service - D-Bus System Message Bus
Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
Active: active (running) since Sat 2018-02-03 00:03:58 PST; 4min 30s ago
Main PID: 2870 (dbus-daemon)
CGroup: /system.slice/dbus.service
mq2870 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Started D-Bus System Message Bus.
Feb 03 00:03:58 chinko.giveadream.jp systemd[1]: Starting D-Bus System Message Bus...
Feb 03 00:03:58 chinko.giveadream.jp dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Feb 03 00:03:58 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' uni...service'
Feb 03 00:03:58 chinko.giveadream.jp dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 03 00:03:58 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 03 00:07:38 chinko.giveadream.jp dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Feb 03 00:07:38 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' uni...service'
Feb 03 00:07:38 chinko.giveadream.jp dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 03 00:07:38 chinko.giveadream.jp dbus-daemon[2870]: dbus[2870]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Hint: Some lines were ellipsized, use -l to show in full.
せ7> systemctl status polkit
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
Active: active (running) since Sat 2018-02-03 00:07:38 PST; 1min 2s ago
Docs: man:polkit(8)
Main PID: 2927 (polkitd)
CGroup: /system.slice/polkit.service
mq2927 /usr/lib/polkit-1/polkitd --no-debug
Feb 03 00:07:38 chinko.giveadream.jp polkitd[2927]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 03 00:07:38 chinko.giveadream.jp polkitd[2927]: Finished loading, compiling and executing 6 rules
Feb 03 00:07:38 chinko.giveadream.jp polkitd[2927]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 03 00:07:38 chinko.giveadream.jp systemd[1]: Started Authorization Manager.
Feb 03 00:07:38 chinko.giveadream.jp polkitd[2927]: Registered Authentication Agent for unix-process:2922:152702 (system bus name :1.3 [/usr/bin/p...S.UTF-8)
Feb 03 00:07:38 chinko.giveadream.jp polkitd[2927]: Unregistered Authentication Agent for unix-process:2922:152702 (system bus name :1.3, object p...rom bus)
Feb 03 00:07:58 chinko.giveadream.jp polkitd[2927]: Registered Authentication Agent for unix-process:3012:154768 (system bus name :1.6 [/usr/bin/p...S.UTF-8)
Feb 03 00:07:58 chinko.giveadream.jp polkitd[2927]: Unregistered Authentication Agent for unix-process:3012:154768 (system bus name :1.6, object p...rom bus)
Feb 03 00:08:12 chinko.giveadream.jp polkitd[2927]: Registered Authentication Agent for unix-process:3018:156116 (system bus name :1.7 [/usr/bin/p...S.UTF-8)
Feb 03 00:08:12 chinko.giveadream.jp polkitd[2927]: Unregistered Authentication Agent for unix-process:3018:156116 (system bus name :1.7, object p...rom bus)
Hint: Some lines were ellipsized, use -l to show in full.
なんか、polkitサービスとdbusサービスのstatusがブート直後と微妙に違うんご。一応warning以上は出てないけどwww
これ見るとfirewalldの落とし上げは普通に、systemctl stop firewalld と、systemctl start firewalldでいいみたいなのだけど。
【課題】まだわかってないこと
・dbusやpolkitとの順序性、依存性
・NetworkManagerがインタフェースを管理してる場合、firewalldと関係してそう
・本当に正しい順序でサービスを起動/停止する方法
・systemdは正しく使えば、万事「良きに図らってくれる」らしいが、間違った使い方するとしっちゃかめっちゃかになりそう!?
・firewall-cmdコマンド
■firewalldとiptablesの比較
・firewalldもiptablesもnetfilterカーネルモジュールを使っている
・iptablesは古典的なACL型ファイアーウォール。
(ACL型とはチェーンに対してパケットをpermitやdrop/rejectを定義してフィルタリングする)
・上記に対してfirewalldはNetscreenやSRXやfortigateなどのようにネットワークを抽象化したゾーン(public/internal/trusted etc...)に分けて管理する。
(ネットワーク設計者が頭の中で考えていたゾーンの概念がファイアウォールにそのまま実装することができる)
D-Busインターフェースを使いfirewalldに指示を出すことで、パケットの通過ルールを動的に許可/不許可にすることができまる。アプリケーションからD-Busで直接呼び出す以外にも、CLIのfirewall-cmd、GUIのfirewall-configから設定変更を行うことも可能。
https://oss.sios.com/guest-blog/guest-bog-20150624
■acl型ファイアウォールであるiptablesとLOGターゲットを使ってネットワーク障害調査を行う方法は「プロのための
■ファイアウォールの分類方法
上記の「acl型」と「ゾーン型」というのは実は一般的でない。(ネットで探してもヒットしない)
ただ、「できるPro RHEL7」のP.123で著者が「ACL型ファイウォール」という用語を使っている。
そんで、おいらもこれに対して、firewalld、SSG、SRX、fortigateなどのように、「ゾーン」という抽象的なセキュリティ範囲を定義して、ゾーン間の通信ルールを定義するファイアウォールを勝手に「ゾーン型ファイアウォール」と言ってみたwww
古典的なファイアウォールの分類法として、こちらのサイトでは「パケットフィルタリング型」と「プロキシ型」という分類をしている。acl型もゾーン型も「パケットフィルタリング型」のサブカテゴリーとなる。
さらに、PCやサーバ自体のインタフェースで動作するFWを「パーソナル型ファイアウォール」、ルータで動作するFWを「境界型ファイアウォール」という分類もよくつかわれる。
さらに、ファイアウォールでフィルタするレイヤに着目して、L4ファイアウォールとL7ファイアウォールという分類がある。
さらに、L4ファイアウォールでも、L4パケットのポート番号(SRC/DST)やステートフルインスペクション以上の情報でフィルタするUTMがある。
※IPS/IDS、UTM、WAFの用語の整理
https://www.websecurity.symantec.com/ja/jp/theme/waf-ips-ids