ipfilter netboot problems
Wes Peters
wes at softweyr.com
Tue Jun 24 23:10:35 PDT 2003
On Tuesday 24 June 2003 12:06 pm, randall ehren wrote:
> hi,
> i'm setting up a soekris net4501 machine and during some testing i ran
> into a problem. basically, if i compile:
>
> options IPFILTER_DEFAULT_BLOCK
>
> into the kernel then i get the following error during a net boot
> (pxe):
>
> nfs send error 65 for xxx.xxx.xxx.xxx:/soekris/
>
> and then the machine stops booting as it can't continue to load the
> root partition
>
> after hunting and pecking around, i found out this relates to a "NFS
> server host unreachable" error...
Makes perfect sense, doesn't it? ;^)
> my guess was that since i had enabled default blocking by ipfilter,
> once ipfilter loads then all network access is cut off until the rules
> (/etc/ipf.rules) are applied.
>
> so is this impossible to do since loading the rules would require
> mounting a partition?
Yup. Why not boot off the CF instead? If you're netbooting for
development, just leave off the default block option until you're ready
to test from CF; you can still add a default block as your first rule
once you have filesystems mounted. You may want to be clever and copy
the ipf rules to a small ramdisk before loading them just to be sure.
The filter rules are there really to protect services, so if you delay
starting non-essential services as long as possible, you can considerably
lessen your exposure during the boot phase. Since you're booting from
the network, there is no way to eliminate your exposure, but you can make
certain you don't start the usual culprits (mail, dns, web, etc services)
until after you've processed the firewall rules.
--
Where am I, and what am I doing in this handbasket?
Wes Peters wes at softweyr.com
More information about the freebsd-net
mailing list