NFS Root FS and fiaif

Sameh Attia email hidden
Wed May 23 22:30:25 CEST 2007 

Hi,
We have a running setup for network installation of RHEL and CentOS using
NFS installation too. It boots, works, and setup with no problem at all
using vanilla FIAIF.
Show us your config.
-- 
Sameh Attia

On 5/23/07, C. Chad Wallace <cwallace at lodgingcompany.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello...
>
> I have set up a diskless firewall using PXE boot and an NFS root
> filesystem, and FIAIF.  It's working now, but I had to patch FIAIF. :-(
>
> The problem I had was that when FIAIF cleared all the iptables rules at
> startup, setting the default policy to DROP for everything, NFS would be
> blocked, and the machine would be left without a root filesystem.
> Obviously, it locked up and would go no further.  It would work when
> DEBUG was set, because the default policy was ACCEPT.  But that just
> won't do for the long term.
>
> So, what I did was change the init script and iptables.sh so that the
> default DROP policy is applied after all the rules have been set up.
> That way, NFS never gets disrupted since there is always a rule around
> that will let it through.  The only problem I can see with this is that
> there is a moment where the firewall is not effective, but it should be
> a brief moment, and it's only at startup... so I'm not too worried.
>
> However, I'm a FIAIF noob, so I am a little worried. :-)  I've attached
> a patch containing my changes against version 1.21.1-5 (from Debian
> sid), so hopefully someone with a little more experience can look it
> over and see if there are any flaws or concerns... or if there is a
> better way to do this.
>
> Thanks!
> - --
>
> C. Chad Wallace, B.Sc.
> The Lodging Company
> http://www.skihills.com/
> OpenPGP Public Key ID: 0x262208A0
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGU5S8KeSNHCYiCKARAmOeAKDLoOUbZp3DDuXSHAexRbqXOjJzSACggubC
> bT9jCK47vtce42b8dXHcJww=
> =xf3R
> -----END PGP SIGNATURE-----
>
> diff -ur fiaif-1.21.1/prog/fiaif fiaif-1.21.1.patched/prog/fiaif
> --- fiaif-1.21.1/prog/fiaif     2005-11-24 12:57:23.000000000 -0800
> +++ fiaif-1.21.1.patched/prog/fiaif     2007-05-22 17:26:49.000000000-0700
> @@ -91,7 +91,7 @@
>      else
>         debug_out "Removing all existing rules, and setting default
> policies"
>         iptables_stop ${DEBUG}
> -       iptables_setup
> +       iptables_setup ${DEBUG}
>
>         # Test if rules should be saved
>         if (( ZONE_ERRORS ==  0 && DEV_ERRORS == 0 && \
> @@ -213,6 +213,7 @@
>
>         panic)
>             # Stop the firewall. Do not read DEBUG variable.
> +           iptables_policy 0
>             iptables_stop 0
>             tc_stop
>             rm -f ${SUBSYS_FILE}
> diff -ur fiaif-1.21.1/src/iptables.sh fiaif-1.21.1.patched/src/iptables.sh
> --- fiaif-1.21.1/src/iptables.sh        2007-01-23 11:48:36.000000000-0800
> +++ fiaif-1.21.1.patched/src/iptables.sh        2007-05-22 17:26:
> 49.000000000 -0700
> @@ -26,14 +26,12 @@
> function iptables_stop ()
> {
>      local DEBUG=$1
> -    local POLICY
> -    if (( DEBUG == 0 )); then
> -       POLICY=DROP
> -    else
> -       POLICY=ACCEPT
> -    fi
>
>      echo -n "Clearing all rules: "
> +    IPTABLES -P INPUT ACCEPT
> +    IPTABLES -P FORWARD ACCEPT
> +    IPTABLES -P OUTPUT ACCEPT
> +
>      IPTABLES -F
>      IPTABLES -F -t nat
>      IPTABLES -F -t mangle
> @@ -46,11 +44,6 @@
>      IPTABLES -Z -t nat
>      IPTABLES -Z -t mangle
>
> -    #Always set default policy.
> -    IPTABLES -P INPUT ${POLICY}
> -    IPTABLES -P FORWARD ${POLICY}
> -    IPTABLES -P OUTPUT ${POLICY}
> -
>      IPTABLES -t nat -P PREROUTING ACCEPT
>      IPTABLES -t nat -P POSTROUTING ACCEPT
>      IPTABLES -t nat -P OUTPUT ACCEPT
> @@ -66,6 +59,21 @@
>      echo "Done."
> }
>
> +function iptables_policy ()
> +{
> +    local DEBUG=$1
> +    local POLICY
> +    if (( DEBUG == 0 )); then
> +       POLICY=DROP
> +    else
> +       POLICY=ACCEPT
> +    fi
> +
> +    IPTABLES -P INPUT ${POLICY}
> +    IPTABLES -P FORWARD ${POLICY}
> +    IPTABLES -P OUTPUT ${POLICY}
> +}
> +
>
>
> ###############################################################################
> # setup_default_chains
> @@ -456,6 +464,8 @@
>
> ###############################################################################
> function iptables_setup ()
> {
> +    local DEBUG=$1
> +
>      # Damn bash. We really needed this to be in a seperate function,
>      # but declare only declares locally to functions.
>      local GLOBAL_INTERFACES=""
> @@ -562,5 +572,7 @@
>         IPTABLES -A DEV_${DEVICE}_DST -j LOG_MARTIAN
>      done
>
> +    iptables_policy $DEBUG
> +
>      return ${DEV_ERRORS}
> }
>
> _______________________________________________
> fiaif mailing list
> fiaif at fiaif.net
> https://www.fiaif.net/mailman/listinfo/fiaif
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.fiaif.net/pipermail/fiaif/attachments/20070523/3c8ae78d/attachment.htm

More information about the fiaif mailing list