[K12OSN] iptables blocking tftp on default installation

Eric Harrison eharrison at mail.mesd.k12.or.us
Mon Jun 12 05:10:43 UTC 2006 

On Sun, 11 Jun 2006, Eric Harrison wrote:

> On Sat, 10 Jun 2006, Eric Harrison wrote:
>
>> On Sat, 10 Jun 2006, Peter Scheie wrote:
>> 
>>> I did another installation of beta 7 for version 5.0.  I accepted the 
>>> defaults for everything, except for two things: the host name, and the 
>>> firewall.  The only thing I changed for the firewall is that I selected the 
>>> option to open port 443 for https, by just selecting the checkbox; I didn't 
>>> add any other options.  After the server finished the installation, I tried 
>>> to boot my iPaq client, which uses PXE.  It hung at the tftp stage, until I 
>>> turned iptables off at the server, and then the client continued to boot 
>>> normally.
>>> 
>>> What assumption does 5.0 make about the state and open port of the 
>>> firewall/iptables?
>>> 
>>> Petre
>> 
>> The default is for eth0 to be trusted (i.e. not firewalled at all), and
>> on eth1 everything is blocked except ssh.
>> 
>> Sounds like when a change is made (such as adding https), it completely
>> wipes out the K12LTSP 5.0 defaults. That didn't happen in earlier versions.
>> I'll test that out...
>> 
>> Thanks Petre!
>
> Confirmed, the behavior in FC5 is to blindly discard all of the custom
> settings whenever you make a change to the firewall :-(
>
> I'll work on a fix. My first thought is add an init script that injects the
> default K12LTSP firewall rules if 1) it is a K12LTSP install and 2) if the
> firewall is enabled. In the common case, it would "just work". In other
> cases, you could just disable it like any other init script.
>
> -Eric

I'm reasonably happy with this approach. I added a new ltsp_config package
package to the K12LTSP 5.0 beta repositories for testing. After updating,
you can run the following commands to make sure that eth0 is not firewalled
off:

 	/sbin/chkconfig iptables-k12ltsp on
 	/sbin/service iptables-k12ltsp start

If, for some reason, your terminals are running on a different interface
than eth0, you can edit /etc/sysconfig/iptables-k12ltsp

-Eric

More information about the K12OSN mailing list