I agree with Ken, the setup does sound confusing. Before modifying your firewall scripts, are you sure that you need a firewall at all? I would guess that if your server and terminals are all on a private network (10.0.0.0) then you probably gain access to the internet (or other network) via some other router - which probably has it's own firewall. Is your intention to use the LTSP server to act as a gateway/firewall as well? If so, I'm not sure I would run both things on the same server. I'd probably set up a separate box to act as a gateway/firewall to the internet (there are many great and cheap ways to accomplish this). Cheers
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 11/27/01, 9:57:03 AM, "Ken Godee" <[EMAIL PROTECTED]> wrote regarding Re: [Ltsp-discuss] Blocked by firewall: > Your set up seems confusing..... > A firewall is usally set up to block external untrusted networks, ie. > the internet. Which would appear to be on your eth0. Then > normally you would have a second nic installed for trusted/internal > networks on ie. eth1 and your server would be the gateway/firewall. > Right now your firewall is doing its job correctly, it's > blocking/dropping what appears to be a 'spoofed' address. > It thinks its a spoofed address because the address of 10.0.0.50 > is a non-routable address that is not orginating from your machine > or internal net. This is how spoofing is done. sending packets to > someones machine trying to fake that it orginally came from > them in the first place. > I'm not sure what you can do to make this work like you want > except to punch holes in your firewall (bad idea). > You should be able to find a file in your /etc or /etc/rc.d or where > ever named "rc.firewall" or something like that. This will be a script > that is run at boot up that loads the firewall rules for iptables. > Once you find it you should be able to find a section that is > headed with something like #SPOOFING etc with a few iptables > rules that block spoofing attacks, comment them out to set off > protection for spoofing. Most rc.firewall scripts contain a default > set of ip spoofing rules. > I would expect you'll run into more problems thou, you'll probally > have to punch several more holes in your firewall to get it to > work like your trying to get it to. > I'm not an expert by any means on this. Most firewalls start with > deny all except what is explicitly permitted. > With all that said maybe you could add a couple of iptables rule > to just allow 10.0.0.50 only? > My choice would be to serve ltsp on trusted networks only. > Also the only searchable email archive for ltsp I know of..... > http://www.mail-archive.com/[email protected]/ > > Hello, > > > > I am trying to setup an X-terminal connected to a SuSE linux 7.1 > > server. On the server I have a firewall set up using SuSEfirewall2 > > which, to the best of my knowledge, is just a front end for iptables. > > If I turn the firewall off then the terminal boots up with no > > problems. However, with the firewall on it stops and the following > > appears in the /var/log/messages file on the server: > > > > Nov 25 17:50:54 kipling dhcpd: DHCPDISCOVER from 00:20:af:20:f7:4f via > > eth0 Nov 25 17:50:54 kipling dhcpd: DHCPOFFER on 10.0.0.50 to > > 00:20:af:20:f7:4f via eth0 Nov 25 17:50:54 kipling kernel: > > SuSE-FW-DROP-ANTI-SPOOFINGIN=eth0 OUT= MAC= SRC=10.0.0.2 > > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > > PROTO=UDP SPT=67 DPT=68 LEN=308 > > > > The server has ip address 10.0.0.2 and the terminal is allocated the > > address 10.0.0.50. Any ideas how I can get round this? Any pointers > > would be useful and then I could then try messing around with the > > firewall configuration file. > > > > Also, is there a searchable version of the archives for this mailing > > list? I have some other questions which I'm sure will already have > > been answered. > > > > Thanks, > > > > Joe > > > > > > _____________________________________________________________________ > > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > > For additional LTSP help, try #ltsp channel on irc.openprojects.net > > > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.openprojects.net _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
