Posts by gabrielwhite
-
-
I want to restrict access to the ports to a specific set of IPs. It seems the only way I could probably do this with OMV webui is to set up the container to use host networking.
-
Quote
Uncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.
When you publish a container’s ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the
nat
table, which means that packets are diverted before it reaches theINPUT
andOUTPUT
chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.Packet filtering and firewalls
Seems this is a Docker limitation that OMV can't get around (at least insofar as only the INPUT and OUTPUT chains can be manipulated through the WebUI).
-
I've been trying to set up the firewall inside OMV, and I've been mostly successful at restricting access as I want.
BUT I can't seem to restrict access to Docker containers running on the server using the rules in the OMV6 user interface.
My iptables are below, and my guess is that Docker's rules are taking precedence over OMV's rules. Specifically, I wanted to restrict access to port 3000 and 3001, and even if I drop all the traffic in the OMV UI, the port remains open.
The rules below should block all traffic to ports 3000/3001, according to the first block (which is what I'd configured in OMV), but then later you can see that docker allows those ports.
Have I hit a limitation of the OMV webui, or am I missing something here? Or is there a way I can configure the docker containers differently?
Code
Display Moresudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:853 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088 ACCEPT tcp -- 10.0.0.10 0.0.0.0/0 tcp dpt:2049 ACCEPT udp -- 10.0.0.10 0.0.0.0/0 udp dpt:2049 ACCEPT tcp -- 10.0.0.10 0.0.0.0/0 tcp dpt:111 ACCEPT udp -- 10.0.0.10 0.0.0.0/0 udp dpt:111 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ts-forward all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (6 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:3000 ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:853 ACCEPT tcp -- 0.0.0.0/0 172.20.0.2 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 172.20.0.2 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 172.22.0.2 tcp dpt:3001 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (6 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain ts-forward (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000 DROP all -- 100.64.0.0/10 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ts-input (0 references) target prot opt source destination ACCEPT all -- 100.74.72.50 0.0.0.0/0 RETURN all -- 100.115.92.0/23 0.0.0.0/0 DROP all -- 100.64.0.0/10 0.0.0.0/0
-
I had to do this to get it working:
- Disable NFS (and apply changes)
- Reboot
- Select supported versions
- Enable NFS
- Apply changes
If I tried to modify the NFS versions without disabling / rebooting, I continued to get errors.
-
-
apt-mark hold armbian-firmware is what you should have done. Selecting packages has caused more problems because it will list all packages with an update. If you select a package that is replaced by another and the package replacing it, the update will break.
If I was using the CLI, I assume?
-
The simplest solution then may just be to reword the dialog?
"All packages will be upgraded. Are you sure you want to proceed?"
-
If that's correct, then you shouldn't be able to select the items in the list.
If you select them, it says at the bottom of the list "X of Y items selected", which gives the impression the button will act only on the selected items (per normal UX standards).
I'd suggest disabling the ability to select items in the list. As I said, this bricked my OS, which wasn't ideal.
Gabe
-
When I go to System -> Update Management -> Updates it shows me a list of packages that can be upgraded.
The items in the list can be selected / highlighted.
I selected the 3 (of 4) packages I wanted to upgrade, and clicked the upgrade button (the down arrow with a line below). All 4 of the packages were upgraded, one of which was a firmware that bricked my installation (which is why I didn't want to install it in the first place).
Suggestions:
- Do not allow users to select items in the list of packages if that selection has no effect
- OR, upgrade only the items the user has selected
Thanks
Gabe
-
I reinstalled from the script and the problem went away. Thanks!
-
Ha! I can forgive the pixelation for retro charm.
-
-
Sidenote: the device is running Armbian 21.08.3 Bullseye with Linux 5.10.60-meson64
-
Since I updated to 6.0-34 (Shaitan) I've been getting the following error:
Code/etc/cron.daily/openmediavault-cron-apt: cat: write error: No space left on device cat: write error: No space left on device cat: write error: No space left on device cat: write error: No space left on device cat: write error: No space left on device cat: write error: No space left on device
When I check the drive status I can see there is no space issue (/dev/mmcblk0p1 is my OS / boot drive):
Codedf -H Filesystem Size Used Avail Use% Mounted on udev 1.6G 0 1.6G 0% /dev tmpfs 401M 15M 386M 4% /run /dev/mmcblk0p1 16G 8.4G 7.0G 55% / tmpfs 2.1G 0 2.1G 0% /dev/shm tmpfs 5.3M 4.1k 5.3M 1% /run/lock /dev/md0 6.0T 2.2T 3.9T 36% /srv/dev-disk-by-uuid-42e5e537-02b1-42d3-98d3-602339b07afe tmpfs 2.1G 0 2.1G 0% /tmp /dev/zram1 51M 50M 0 100% /var/log
If I reboot the device and run apt upgrade I don't get any error.
I've been using OMV6 for about 6 weeks now, through several upgrades.
Thoughts?
-
Thanks geaves, does that mean the installation guide in the OMV 6 documentation is incorrect? It doesn't mention using the install script.
-
Hi,
I'm installing OMV6 on Armbian Bullseye on an OrangePi One Plus.
I followed these command line instructions here:
https://openmediavault.readthe…stallation/on_debian.html
I was able to install succesfully on an Odroid HC4, but the OrangePi is generating an error on this command:
Codeapt-get --yes --auto-remove --show-upgraded \ --allow-downgrades --allow-change-held-packages \ --no-install-recommends \ --option DPkg::Options::="--force-confdef" \ --option DPkg::Options::="--force-confold" \ install openmediavault-keyring openmediavault
Results in the following error:
CodeThe following packages have unmet dependencies: php-pam : Depends: phpapi-20180731 but it is not installable E: Unable to correct problems, you have held broken packages.
I've looked through the forums and on Github and can't find anything to help me here.
It seems the missing package is a Debian Buster package, but isn't available in Bullseye.
Any suggestions?
-
I want to try to move away from email notifications, and I've just realised that there's no way to set up alternative notification systems WITHOUT email notifications.
I'd like to suggest that the notification system be re-imagined to allow the adding of a set of "profiles" which could be redirected to any service based on specific criteria (e.g. integrate something like https://github.com/caronc/apprise).
For example:
I want all messages to be sent to Slack on #channel1
I want WARN messages to be sent to Signal and Email (as well as Slack on #channel1)
I want DISK FULL messages to be sent to Slack on #channel2
I know there's the facility for adding scripts in /usr/share/openmediavault/notification/sink.d/ but this is somewhat technical.
Thanks!
Gabe
-
Ok thanks.
votdev - I hope you consider this for v6.0 - as it's an ongoing (though admittedly small) annoyance.
-
ryecoaaron Thanks for the reply.
Why does it ask me to confirm to close the tab only on some pages?
If I have made no configuration changes (i.e. logged in and clicked only on the left-hand navigation):
- I get (unpredictably) a pop-up when I close the browser tab on the Dashboard
- I always get a pop-up when I close the browser tab on the Users
- I never get a pop-up when I close the browser tab on Disks
Can you explain the intent a bit more?