[K12OSN] iptables blocking tftp on default installation
Eric Harrison
eharrison at mail.mesd.k12.or.us
Mon Jun 12 05:10:43 UTC 2006
On Sun, 11 Jun 2006, Eric Harrison wrote:
> On Sat, 10 Jun 2006, Eric Harrison wrote:
>
>> On Sat, 10 Jun 2006, Peter Scheie wrote:
>>
>>> I did another installation of beta 7 for version 5.0. I accepted the
>>> defaults for everything, except for two things: the host name, and the
>>> firewall. The only thing I changed for the firewall is that I selected the
>>> option to open port 443 for https, by just selecting the checkbox; I didn't
>>> add any other options. After the server finished the installation, I tried
>>> to boot my iPaq client, which uses PXE. It hung at the tftp stage, until I
>>> turned iptables off at the server, and then the client continued to boot
>>> normally.
>>>
>>> What assumption does 5.0 make about the state and open port of the
>>> firewall/iptables?
>>>
>>> Petre
>>
>> The default is for eth0 to be trusted (i.e. not firewalled at all), and
>> on eth1 everything is blocked except ssh.
>>
>> Sounds like when a change is made (such as adding https), it completely
>> wipes out the K12LTSP 5.0 defaults. That didn't happen in earlier versions.
>> I'll test that out...
>>
>> Thanks Petre!
>
> Confirmed, the behavior in FC5 is to blindly discard all of the custom
> settings whenever you make a change to the firewall :-(
>
> I'll work on a fix. My first thought is add an init script that injects the
> default K12LTSP firewall rules if 1) it is a K12LTSP install and 2) if the
> firewall is enabled. In the common case, it would "just work". In other
> cases, you could just disable it like any other init script.
>
> -Eric
I'm reasonably happy with this approach. I added a new ltsp_config package
package to the K12LTSP 5.0 beta repositories for testing. After updating,
you can run the following commands to make sure that eth0 is not firewalled
off:
/sbin/chkconfig iptables-k12ltsp on
/sbin/service iptables-k12ltsp start
If, for some reason, your terminals are running on a different interface
than eth0, you can edit /etc/sysconfig/iptables-k12ltsp
-Eric
More information about the K12OSN
mailing list