Firewall Rules Fog Server

Trying to button up our Fog Server and apply UFW rules. Does anyone have a default ruleset that they use for Fog? This is what it is currently listening on:

udp    UNCONN  0        0                  0.0.0.0:55629          0.0.0.0:*      users:(("rpc.statd",pid=688,fd=8))
udp    UNCONN  0        0                  0.0.0.0:59831          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=8))
udp    UNCONN  0        0            127.0.0.53%lo:53             0.0.0.0:*      users:(("systemd-resolve",pid=675,fd=13))
udp    UNCONN  0        0          10.10.70.9%eth0:68             0.0.0.0:*      users:(("systemd-network",pid=673,fd=15))
udp    UNCONN  0        0                  0.0.0.0:69             0.0.0.0:*      users:(("in.tftpd",pid=819,fd=4))
udp    UNCONN  0        0                  0.0.0.0:111            0.0.0.0:*      users:(("rpcbind",pid=544,fd=5),("systemd",pid=1,fd=62))
udp    UNCONN  0        0                  0.0.0.0:49302          0.0.0.0:*
udp    UNCONN  0        0                  0.0.0.0:161            0.0.0.0:*      users:(("snmpd",pid=713,fd=6))
udp    UNCONN  0        0                127.0.0.1:864            0.0.0.0:*      users:(("rpc.statd",pid=688,fd=5))
udp    UNCONN  0        0                  0.0.0.0:33924          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=4))
udp    UNCONN  0        0                  0.0.0.0:33928          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=12))
udp    UNCONN  0        0                     [::]:46961             [::]:*      users:(("rpc.mountd",pid=687,fd=14))
udp    UNCONN  0        0                     [::]:43807             [::]:*      users:(("rpc.mountd",pid=687,fd=10))
udp    UNCONN  0        0                     [::]:44473             [::]:*      users:(("rpc.mountd",pid=687,fd=6))
udp    UNCONN  0        0                     [::]:36621             [::]:*      users:(("rpc.statd",pid=688,fd=10))
udp    UNCONN  0        0                     [::]:69                [::]:*      users:(("in.tftpd",pid=819,fd=5))
udp    UNCONN  0        0                     [::]:111               [::]:*      users:(("rpcbind",pid=544,fd=7),("systemd",pid=1,fd=64))
udp    UNCONN  0        0                     [::]:37797             [::]:*
tcp    LISTEN  0        4096               0.0.0.0:42063          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=9))
tcp    LISTEN  0        32                 0.0.0.0:21             0.0.0.0:*      users:(("vsftpd",pid=730,fd=3))
tcp    LISTEN  0        128                0.0.0.0:22             0.0.0.0:*      users:(("sshd",pid=850,fd=3))
tcp    LISTEN  0        4096               0.0.0.0:111            0.0.0.0:*      users:(("rpcbind",pid=544,fd=4),("systemd",pid=1,fd=61))
tcp    LISTEN  0        4096               0.0.0.0:60621          0.0.0.0:*      users:(("rpc.statd",pid=688,fd=9))
tcp    LISTEN  0        80                 0.0.0.0:3306           0.0.0.0:*      users:(("mariadbd",pid=926,fd=30))
tcp    LISTEN  0        4096               0.0.0.0:48417          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=5))
tcp    LISTEN  0        64                 0.0.0.0:44735          0.0.0.0:*
tcp    LISTEN  0        64                 0.0.0.0:2049           0.0.0.0:*
tcp    LISTEN  0        4096               0.0.0.0:35157          0.0.0.0:*      users:(("rpc.mountd",pid=687,fd=13))
tcp    LISTEN  0        4096                  [::]:54973             [::]:*      users:(("rpc.mountd",pid=687,fd=11))
tcp    LISTEN  0        128                   [::]:22                [::]:*      users:(("sshd",pid=850,fd=4))
tcp    LISTEN  0        511                      *:80                   *:*      users:(("apache2",pid=1338482,fd=4),("apache2",pid=1275019,fd=4),("apache2",pid=1274184,fd=4),("apache2",pid=1274085,fd=4),("apache2",pid=1274084,fd=4),("apache2",pid=1274083,fd=4),("apache2",pid=1274082,fd=4),("apache2",pid=1274081,fd=4),("apache2",pid=986,fd=4))
tcp    LISTEN  0        64                    [::]:41029             [::]:*
tcp    LISTEN  0        4096                  [::]:111               [::]:*      users:(("rpcbind",pid=544,fd=6),("systemd",pid=1,fd=63))
tcp    LISTEN  0        511                      *:443                  *:*      users:(("apache2",pid=1338482,fd=6),("apache2",pid=1275019,fd=6),("apache2",pid=1274184,fd=6),("apache2",pid=1274085,fd=6),("apache2",pid=1274084,fd=6),("apache2",pid=1274083,fd=6),("apache2",pid=1274082,fd=6),("apache2",pid=1274081,fd=6),("apache2",pid=986,fd=6))
tcp    LISTEN  0        4096                  [::]:53863             [::]:*      users:(("rpc.mountd",pid=687,fd=7))
tcp    LISTEN  0        4096                  [::]:33617             [::]:*      users:(("rpc.statd",pid=688,fd=11))
tcp    LISTEN  0        80                    [::]:3306              [::]:*      users:(("mariadbd",pid=926,fd=32))
tcp    LISTEN  0        4096                  [::]:45009             [::]:*      users:(("rpc.mountd",pid=687,fd=15))
tcp    LISTEN  0        64                    [::]:2049              [::]:*

Hey everyone,

On 1.5x dev-branch on Ubuntu 22.04

Running the script to update and getting to the portion where it is creating PXE files for use with our SSL cert. I get the following error:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! The installer was not able to run all the way to the end as   !!
!! something has caused it to fail. The following few lines are  !!
!! from the error log file which might help us figure out what's !!
!! wrong. Please add this information when reporting an error.   !!
!! As well you might want to take a look at the full error log   !!
!! in /root/fogproject-dev-branch/bin/error_logs/fog_error_1.5.10.1733.log !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I pulled the logs and the PXE creation fails when it gets to the arm architecture files.

After this fails the main error log just shows that it saves the sql database. The system works and I can pxe boot my x86_64 systems (don’t actually have any arm stuff).

Thanks

Is there a serverside log to see what snapins have run, when and on which machines?

I am trying to see if an app was deployed to a particular device. I know it is a working snapin but short of checking the device directly, is there a way to see if it was pushed to that machine server side?

Thanks

@Tom-Elliott

Thanks. I’ll give it a shot.

I’ve searched but haven’t found a solution. I’m migrating machines from one Fog Server to another and want to uninstall the client that currently points to the old server so that I can re-install and point to the new server.

Does anyone have a script to remove the fog client? I already have a working installer script.

@anwoke8204

I think you’re misunderstanding what those fields are asking for. Those fields are asking which OU in which fog should look for the groups and users. Then you specify the groups with access in the admin group field.

From your screenshot you have some configuration errors.

Both Search Base DN and Group Base DN should be OU’s not CN’s.
Also you should likely have Search Scope set to Subtree and Below

If you want to use LDAPS you will need to have a publicly trusted Cert on your domain controller OR you will need to add the root cert to the cert store on your fog server.

@eazis

Did you make the changes for your admin group setting to be a group rather than an OU as you have it?

Can you go to Fog Configuration then to Fog Settings then Plugin: LDAP and screenshot what is there for LDAP ports and User Filter?

Also For “Admin Group”, that shouldn’t be the name of an OU but rather the name of a security group that your users are a member. That group should be located somewhere within the parameters set by the Group Search DN.

Nevermind. For whatever reason my host module settings were all deselected. No idea why. I am using persistent groups and these are set in that group.

Running 1.5.9 163 on Ubuntu 18.04.x
Imaging a Dell 5530 with windows 10 LTSC

Imaged a system with an existing image that has the client pre-installed. Host is registered, and has active directory settings set. System is never rebooting and not binding / renaming. I’ve reimaged it a couple times, and reset encryption. I’ve also disabled and re-enabled active directory settings for the host.

Fog log on the system shows.
Middleware: Response Module is disabled on host.

@jveronese

This is the expected behavior. What you want is persistent groups.

https://forums.fogproject.org/topic/8836/basic-persistent-groups-and-1-3-0rc16

Can you take a screenshot of your ldap configuration pane?

@jack_chapman

As a personal rule (not from the FOG team). I would recommend sticking with LTS OSes when setting up servers unless you want to regularly be upgrading or migrating. Ubuntu Interim standard support from Canonical is SHORT (9 months).

See 21.10 vs 18.04:
https://ubuntu.com/about/release-cycle

@wayne-workman said in Fedora 35 & FOG:

Knowing our limited developer resources, and to keep cost low, I suggest we cease testing Fedora as well as cease supporting Fedora - in the sense of fixing installation code to make new versions work.

Considering fedora is generally the bleeding edge version or REHL I would classify it under NOT LTS and pull it from the supported OS list.

@wayne-workman

That number makes sense given the number of commits since the GA release and how many are bug fixes.

One option for limiting support to reduce workload would be to limit to LTS branches only. So only 18.04 and 20.04 for Ubuntu and skipping the intermediary releases and dropping those that go out of support by their vendor (eg ubuntu 14.04, 16.04).

Finally got a chance to run the upgrade again and figured out my issue.

For some reason safari wasn’t happy with the upgrade. I can open fog fine from a private window or if I cleared history. It doesn’t open in Chrome, which was my other test because chrome doesn’t trust the ssl cert and no longer gives an option to bypass by default.

When I run :

SELECT * FROM hostMAC WHERE hmMAC LIKE '%aa:bb:cc:dd:ee:ff%';
SELECT * FROM hosts WHERE hostID IN (SELECT hmHostID FROM hostMAC WHERE hmMAC LIKE '%aa:bb:cc:dd:ee:ff%');

I get output pertaining to the host that I had deleted via the GUI. Is there a way to delete those records from the DB using the MAC?

I have a couple hosts that I deleted via the fog GUI (1.5.9.98) and when I go to reenroll them they are complaining that the MAC is already in use. Any way to completely purge these?