[K12OSN] iptables blocking tftp on default installation

[Eric Harrison]

On Sat, 10 Jun 2006, Eric Harrison wrote:

> On Sat, 10 Jun 2006, Peter Scheie wrote:
>
>> I did another installation of beta 7 for version 5.0.  I accepted the 
>> defaults for everything, except for two things: the host name, and the 
>> firewall.  The only thing I changed for the firewall is that I selected the 
>> option to open port 443 for https, by just selecting the checkbox; I didn't 
>> add any other options.  After the server finished the installation, I tried 
>> to boot my iPaq client, which uses PXE.  It hung at the tftp stage, until I 
>> turned iptables off at the server, and then the client continued to boot 
>> normally.
>> 
>> What assumption does 5.0 make about the state and open port of the 
>> firewall/iptables?
>> 
>> Petre
>
> The default is for eth0 to be trusted (i.e. not firewalled at all), and
> on eth1 everything is blocked except ssh.
>
> Sounds like when a change is made (such as adding https), it completely
> wipes out the K12LTSP 5.0 defaults. That didn't happen in earlier versions.
> I'll test that out...
>
> Thanks Petre!

Confirmed, the behavior in FC5 is to blindly discard all of the custom
settings whenever you make a change to the firewall :-(

I'll work on a fix. My first thought is add an init script that injects the
default K12LTSP firewall rules if 1) it is a K12LTSP install and 2) if the
firewall is enabled. In the common case, it would "just work". In other
cases, you could just disable it like any other init script.

-Eric