NFS Root FS and fiaif
C. Chad Wallace
email hidden
Wed May 23 03:11:24 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello...
I have set up a diskless firewall using PXE boot and an NFS root
filesystem, and FIAIF. It's working now, but I had to patch FIAIF. :-(
The problem I had was that when FIAIF cleared all the iptables rules at
startup, setting the default policy to DROP for everything, NFS would be
blocked, and the machine would be left without a root filesystem.
Obviously, it locked up and would go no further. It would work when
DEBUG was set, because the default policy was ACCEPT. But that just
won't do for the long term.
So, what I did was change the init script and iptables.sh so that the
default DROP policy is applied after all the rules have been set up.
That way, NFS never gets disrupted since there is always a rule around
that will let it through. The only problem I can see with this is that
there is a moment where the firewall is not effective, but it should be
a brief moment, and it's only at startup... so I'm not too worried.
However, I'm a FIAIF noob, so I am a little worried. :-) I've attached
a patch containing my changes against version 1.21.1-5 (from Debian
sid), so hopefully someone with a little more experience can look it
over and see if there are any flaws or concerns... or if there is a
better way to do this.
Thanks!
- --
C. Chad Wallace, B.Sc.
The Lodging Company
http://www.skihills.com/
OpenPGP Public Key ID: 0x262208A0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGU5S8KeSNHCYiCKARAmOeAKDLoOUbZp3DDuXSHAexRbqXOjJzSACggubC
bT9jCK47vtce42b8dXHcJww=
=xf3R
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: fiaif-1.21.1.nfsroot-patch2
Url: http://www.fiaif.net/pipermail/fiaif/attachments/20070522/33cf4be0/attachment.ksh
More information about the fiaif
mailing list