Re: ipfilter and Jumpstart

I don't find I need to do anything exceptional. I have a basic firewall
that does stateful TCP and stateless UDP.

However, I do not use rarpd/bootparamd so perhaps that requires special
consideration.

The ISC DHCP daemon with some flags will do the whole job in one place.
On the clients boot net:dhcp ..... does the job.


Phil Dibowitz wrote:
> Jeff A. Earickson wrote:
>> Hi,
>>
>> Has anybody ever figured out the trick to getting Jumpstart to work
>> when ipfilter is running? I always have to drop my ipfilter rules
>> on my Jumpstart server for the client (netboot) system to be able to
>> going. I did some snoop action, and I saw multicast and broadcast
>> stuff going by (without ipfilter in the way), so I added the
>> following to my ruleset:
>>
>> block in all
>> block out all
>> #---take anything in/out via multicast and broadcast for Jumpstart
>> pass in from 255.255.255.255 to 137.146.28.80
>> pass out from 137.146.28.80 to 255.255.255.255
>> pass in from 224.0.0.0/3 to 137.146.28.80
>> pass out from 137.146.26.80 to 224.0.0.0/3
>>
>> where 137.146.26.80 is the IP of the host (Jumpstart server).
>
> I don't think the multicast is needed, but you need to be able to talk
> to broadcast, as well as basically allow anyone at all to give you
> DHCP/Bootp requests (depending on which you use). Then there's the
> joyousness of getting NFSv3 through a firewall.
>
> Start by figuring out which step is breaking: bootp? dhcp? tftp? nfs?
>