All Questions(server)

I've set up Keepalived as a load balancer but am not using a Master/Standby configuration—just a single server.

The issue arises when firewalld is enabled. Without firewalld, everything works fine. However, when firewalld is running, packets returning from the real server are blocked with the STATE_INVALID_DROP rule.

The setup involves two interfaces: enp2s0 (clients zone) and enp3s0 (servers zone). Traffic flowing from enp2s0 to enp3s0 works correctly, but the problem occurs with traffic returning from enp3s0 to enp2s0.

Interestingly, if I use only firewalld with a route configured to reach the real server and remove Keepalived, the traffic flows without any issues. The problem only appears when both firewalld and Keepalived are in use together.

This is my zones config:

router1@router1:~$ sudo firewall-cmd --zone clients --list-all
clients (active)
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: http
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
router1@router1:~$ sudo firewall-cmd --zone servers --list-all
servers (active)
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: http
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

And this is my politics config:

router1@router1:~$ sudo firewall-cmd --policy fromCliToSrv --list-all
fromCliToSrv (active)
  priority: -1
  target: DROP
  ingress-zones: clients
  egress-zones: servers
  services: http
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
router1@router1:~$ sudo firewall-cmd --policy fromSrvToCli --list-all
fromSrvToCli (active)
  priority: -1
  target: DROP
  ingress-zones: servers
  egress-zones: clients
  services: http
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

And this is my keepalived config:

router1@router1:~$ sudo cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

virtual_server 172.20.241.20 80 {
        lb_algo wrr
        lb_kind NAT
        protocol TCP
        persistence_timeout 600
        persistence_granularity 255.255.255.0

        real_server 10.0.1.5 {
                weight 1
        }
        real_server 10.0.1.6 {
                weight 2
        }
        real_server 10.0.1.7 {
                weight 3
        }
}

I tried adding forward ports to clients zone like this:

router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.5:toport=80
success
router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.6:toport=80
success
router1@router1:~$ sudo firewall-cmd --permanent --zone clients --add-forward-port=port=80:proto=tcp:toaddr=10.0.1.7:toport=80
success
router1@router1:~$ sudo firewall-cmd --reload
success

But this config forwards all requests to 10.0.1.5 because it's first rule that was added

I just begun learning kubernetes. I made an account in digital-ocean and started a kubernetes cluster. Then I tried following this article https://www.digitalocean.com/community/tutorials/how-to-secure-your-site-in-kubernetes-with-cert-manager-traefik-and-let-s-encrypt. But I'm having some questions about how it works. Right now my situation is this one:

kubectl get pods,services,deployments
NAME                                   
pod/app-frontend      
pod/app-backend       
pod/cm-acme-http-solver-qh8ms          
pod/company-service    
pod/edge-service      
pod/location-service  
pod/traefik           
pod/traefik-deployment 
pod/user-service      

NAME                                TYPE           EXTERNAL-IP       PORT(S)                   
service/app-frontend                LoadBalancer   app-ext-ip        3000:32459/TCP            
service/app-backend                 ClusterIP      <none>            5432/TCP                  
service/cm-acme-http-solver-fcgpr   NodePort       <none>            8089:30577/TCP            
service/company-service             ClusterIP      <none>            9003/TCP                  
service/edge-service                ClusterIP      <none>            9000/TCP                  
service/kubernetes                  ClusterIP      <none>            443/TCP                   
service/location-service            ClusterIP      <none>            9002/TCP                  
service/traefik                     LoadBalancer   traefik-ext-ip    80:32591/TCP,443:30716/TCP
service/traefik-dashboard-service   LoadBalancer   tr-dash-ext-ip    8080:31431/TCP            
service/traefik-web-service         LoadBalancer   tr-ws-ext-ip      80:31211/TCP              
service/user-service                ClusterIP      <none>            9001/TCP                  

NAME                              
deployment.apps/app-frontend     
deployment.apps/app-backend     
deployment.apps/company-service   
deployment.apps/edge-service      
deployment.apps/location-service  
deployment.apps/traefik           
deployment.apps/traefik-deployment
deployment.apps/user-service  

So I have Traefik working but not acting as proxy, the app-frontend working, but not in https, the certificates issued by letsencrypt not being used anywhere. for example

kubectl get issuer -o wide
NAME             READY   STATUS 
challenge-http   True    The ACME account was registered with the ACME server
kubectl get certificateRequest -o wide
NAME                          APPROVED   DENIED   READY   ISSUER           REQUESTOR                                         STATUS                                                                                                 AGE
    tls-app-ingress   True                False   challenge-http   system:serviceaccount:cert-manager:cert-manager   Waiting on certificate issuance from order default/tls-app-ingress-http: "pending"
kubectl get certificates
NAME                    READY   SECRET                  AGE
tls-app-ingress-http   False   tls-area-ingress-http   166m

And of course since I am learning from scratch, everything is in the default environment. How do I tell kubernetes to use Traefik as a proxy and arrive to the app-frontend via https? I'm not offended if you answer me with some documentation to read, just point me in the right direction.

I have two different linux machines(server websites) seperated by internet having similar directory tree and files. both can acess each other via ssh.

I want to sync certain directories, however I need to know before performing the actual sync about list of files and dirs that need to be transferred or deleted before I perform it.

Rysnc performs well to preform actual sync. But is there any option in it which shows me what changes will take place before performing it ?

Or is there any other linux program that can do that.

both linux machines can access each other via ssh

Thanks

We are in a hybrid Exchange environment. I am creating a script to create users and their associated remote mailboxes. After completing a successful run of the script, I deleted the test user without first removing the remote mailbox. Now, I have a remote mailbox with no AD user associated to it. When I attempt remove-remotemailbox it errors stating that it could not find the user in AD (because it had been deleted).

I tried recreating the AD user without enabling the remote mailbox, but I assume because it has a different GUID, it doesn't see it as the same AD user.

Office 365 Administration won't let me delete the account there -- the option is grayed out.

How can I get rid of this orphaned remote mailbox?

To find a matched entry in the route table, a bitwise AND will be applied to the destination IP and the netmask in the route table. I wonder if the bitwise AND will ALSO be applied to the "Network Destination" of current entry in the route table and the netmask, then the two AND results are compared; or, there is only one AND(the destination IP and the netmask) and the result is directly compared to the "Network Destination" in the route table?