I don't find I need to do anything exceptional. I have a basic firewall
that does stateful TCP and stateless UDP.
However, I do not use rarpd/bootparamd so perhaps that requires special
consideration.
The ISC DHCP daemon with some flags will do the whole job in one place.
On the clients boot net:dhcp ..... does the job.
Phil Dibowitz wrote:
Jeff A. Earickson wrote:
Hi,
Has anybody ever figured out the trick to getting Jumpstart to work
when ipfilter is running? I always have to drop my ipfilter rules
on my Jumpstart server for the client (netboot) system to be able to
going. I did some snoop action, and I saw multicast and broadcast
stuff going by (without ipfilter in the way), so I added the
following to my ruleset:
block in all
block out all
#---take anything in/out via multicast and broadcast for Jumpstart
pass in from 255.255.255.255 to 137.146.28.80
pass out from 137.146.28.80 to 255.255.255.255
pass in from 224.0.0.0/3 to 137.146.28.80
pass out from 137.146.26.80 to 224.0.0.0/3
where 137.146.26.80 is the IP of the host (Jumpstart server).
I don't think the multicast is needed, but you need to be able to talk
to broadcast, as well as basically allow anyone at all to give you
DHCP/Bootp requests (depending on which you use). Then there's the
joyousness of getting NFSv3 through a firewall.
Start by figuring out which step is breaking: bootp? dhcp? tftp? nfs?
