From owner-freebsd-net@FreeBSD.ORG Tue Jun 24 23:10:34 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A604D37B401 for ; Tue, 24 Jun 2003 23:10:34 -0700 (PDT) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4005F43FF3 for ; Tue, 24 Jun 2003 23:10:34 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.homeunix.net (66-91-236-204.san.rr.com [66.91.236.204]) by smtp-relay.omnis.com (Postfix) with ESMTP id BE1F05B6DD; Tue, 24 Jun 2003 23:10:32 -0700 (PDT) From: Wes Peters Organization: Softweyr To: randall ehren , Date: Tue, 24 Jun 2003 23:10:31 -0700 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200306242310.31047.wes@softweyr.com> Subject: Re: ipfilter netboot problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2003 06:10:35 -0000 On Tuesday 24 June 2003 12:06 pm, randall ehren wrote: > hi, > i'm setting up a soekris net4501 machine and during some testing i ran > into a problem. basically, if i compile: > > options IPFILTER_DEFAULT_BLOCK > > into the kernel then i get the following error during a net boot > (pxe): > > nfs send error 65 for xxx.xxx.xxx.xxx:/soekris/ > > and then the machine stops booting as it can't continue to load the > root partition > > after hunting and pecking around, i found out this relates to a "NFS > server host unreachable" error... Makes perfect sense, doesn't it? ;^) > my guess was that since i had enabled default blocking by ipfilter, > once ipfilter loads then all network access is cut off until the rules > (/etc/ipf.rules) are applied. > > so is this impossible to do since loading the rules would require > mounting a partition? Yup. Why not boot off the CF instead? If you're netbooting for development, just leave off the default block option until you're ready to test from CF; you can still add a default block as your first rule once you have filesystems mounted. You may want to be clever and copy the ipf rules to a small ramdisk before loading them just to be sure. The filter rules are there really to protect services, so if you delay starting non-essential services as long as possible, you can considerably lessen your exposure during the boot phase. Since you're booting from the network, there is no way to eliminate your exposure, but you can make certain you don't start the usual culprits (mail, dns, web, etc services) until after you've processed the firewall rules. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com