Bernd Schemmer wrote: > Dave Miner wrote: > > Dave, > > > Are you talking about the client ports used to > > retrieve the miniroot and flash archive? > > Yes > > > If so, those are chosen randomly out of the port space, > > port space is 32768 and above? >
As I recall, that's typically the anonymous port range that most implementations use when the socket isn't bound to a specific local port. You can see the code where the wanboot program does its connections at: http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/common/net/wanboot/boot_http.c#tcp_connect > > and there's no way to configure it at this point. > > That's bad - then we have to open all ports on our firewall about 32k > for the installation of the machines. > Seems like an awfully tight firewall configuration that would get in the way of other normal things, too. > Our plan was to use the WANBOOT Server also after installation to be > able to boot the machine into maintenance mode but I don't think that > our Securiy Team will allow us to keep the ports open after installing > the machine... > > Do you know if there's already a RFE to change this? If not, I'll fill a > RFE. > That'll be complicated, because there are multiple implementations involved: the OBP's http client to download wanboot, and then the wanboot program itself. The latter is what's in OpenSolaris, and you or anyone else could submit a fix, but the OBP's obviously done by the server hardware guys and the time to get RFE's implemented there tends to be very long. I don't mean this to be discouraging, just want to be honest about the situation. One workaround you might investigate is to use an http proxy which is outside the firewall for the wanboot clients to talk to and then you could just open up the firewall for it, though I doubt that would have a particularly better security risk profile in reality. Dave
