Re: ipfilter netboot problems

• Previous message: Clement Laforet: "Re: Bandwidth monitoring"
• In reply to: randall ehren: "ipfilter netboot problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: randall ehren <randall@ucsb.edu>, <freebsd-net@freebsd.org>
Date: Tue, 24 Jun 2003 23:10:31 -0700

On Tuesday 24 June 2003 12:06 pm, randall ehren wrote:
> hi,
> i'm setting up a soekris net4501 machine and during some testing i ran
> into a problem. basically, if i compile:
>
> options IPFILTER_DEFAULT_BLOCK
>
> into the kernel then i get the following error during a net boot
> (pxe):
>
> nfs send error 65 for xxx.xxx.xxx.xxx:/soekris/
>
> and then the machine stops booting as it can't continue to load the
> root partition
>
> after hunting and pecking around, i found out this relates to a "NFS
> server host unreachable" error...

Makes perfect sense, doesn't it? ;^)

> my guess was that since i had enabled default blocking by ipfilter,
> once ipfilter loads then all network access is cut off until the rules
> (/etc/ipf.rules) are applied.
>
> so is this impossible to do since loading the rules would require
> mounting a partition?

Yup. Why not boot off the CF instead? If you're netbooting for
development, just leave off the default block option until you're ready
to test from CF; you can still add a default block as your first rule
once you have filesystems mounted. You may want to be clever and copy
the ipf rules to a small ramdisk before loading them just to be sure.

The filter rules are there really to protect services, so if you delay
starting non-essential services as long as possible, you can considerably
lessen your exposure during the boot phase. Since you're booting from
the network, there is no way to eliminate your exposure, but you can make
certain you don't start the usual culprits (mail, dns, web, etc services)
until after you've processed the firewall rules.

-- 
        Where am I, and what am I doing in this handbasket?
Wes Peters                                               wes@softweyr.com
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Clement Laforet: "Re: Bandwidth monitoring"
• In reply to: randall ehren: "ipfilter netboot problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Lots of stuff loading at start-up - questions ... Don't go around disabling things willy nilly. ... I have 1 gig of memory while he has ... My computer is using about 350 MBs loaded into memory at boot ... I am loading a lot more stuff than he is I suppose. ... (microsoft.public.windowsxp.basics) Re: Delayed loading of services? ... and Windows will turn that off. ... > to load them at startup, and they load when other services finish theirs ... > at Windows boot up time. ... of years and this is the first time I've seen services loading that late ... ... (microsoft.public.windowsxp.general) Re: What does boot mean?? ... This command started a series of increasingly complex loading events that culminated in the loading of the entire operating system from some peripheral. ... Thus the terms "bootstrap" as a verb and "bootstrap loader" came into use, and the terse term "boot" came to mean "start the bootstrap loading process ... (microsoft.public.windowsxp.general) Re: kernel-2.6.10-1.760_FC3smp fails to boot ... > Loading scsi_mod.ko module ... > Switching to new root ... label or make sure you run e2label on the partition to give it a "/" ... to the boot command line. ... (Fedora) RE: Extremely slow boot times with Windows 2000 ... troubleshooting a problem where "loading your personal settings", ... >>I am experiencing extremely slow boot times with Windows ... >>files loading in safe mode won't show up. ... (microsoft.public.win2000.general)