[Firewall] Firewall with Root-over-NFS: problem

Roman Mamedov romanrm at gmail.com
Thu Nov 8 10:23:10 MST 2007


Hello.

I am setting up a dedicated firewall/gateway machine, using 
arno-iptables-firewall script. The special thing about this setup, is 
that the firewall is completely diskless - it mounts the root file 
system over LAN, using NFS.

The problem is, the computer hangs halfway in executing 
*/etc/init.d/arno-iptables-firewall restart*, with continuous messages 
about "NFS server not responding."

Apparently, the process of setting up firewall rules causes the firewall 
machine to lose network connectivity for a short moment. But with 
diskless setup, this is completely unacceptable, as everything this 
computer has (including the iptables binary, and the swap file!) resides 
on an NFS share on another server.

I have located the place in the sourcecode of the setup script, which 
causes the lock-up. It is the following line:

      echo "Setting default (secure) policies"
      # Set standard policies for the built-in tables (drop = very secure)
      ####################################################################
      *$IPTABLES -P INPUT DROP

    *

When I comment it out, the script restart applies all other rules 
successfully, without causing lock-up.

So, the questions are:

    * Is this line really needed for security?
    * Can some alternative be implemented, so that security is not
      compromised, and network access is never lost (even for a moment)
      during firewall rules setup?
    * Does firewall function properly with that line commented out (i.e.
      can I already place it online, or should wait for a more proper
      fix)? I see there's a lot of DROP rules, including *-A INPUT -j
      DROP* in "iptables-save | grep DROP" - are these not enough? Maybe
      *-P INPUT DROP* is just a cautious safeguard, and is not crucial
      for proper firewalling?

Thank you in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.btito.net/pipermail/firewall_lists.btito.net/attachments/20071108/e11fcf5d/attachment.html 


More information about the Firewall mailing list