I used the instructions located on the LTSP wiki to install the NX
client into the root for the LTSP clients and add the appropriate
screen script to start the NX client on boot. That portion of the
setup is relatively straightforward and appears to be working
beautifully. The instructions are here http://wiki.ltsp.org/twiki/bin/
view/Ltsp/WorkInProgress#LTSP_via_OpenVPN
I have tried limiting access via hosts.allow with no success. I tried
iptables but the 2.6.17.8-ltsp-1 kernel does not have iptables. I get
the following error when trying to do # /sbin/iptables -L I get the
following error:
modprobe: FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table 'filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your your kernel needs to be upgraded.
Due to company security restrictions we are not allowed to have X on
the network without encryption. Nor can we have Xservers listening to
the network without access control.
David Kennel
On Dec 20, 2006, at 7:12 AM, Todd Shoemaker wrote:
David Kennel wrote:
I am piloting an LTSP based solution. Due to our security
requirements
I have had to tweak the configuration quite a bit to harden the
system. I have moved the clients to encrypted connections based on
FreeNX but the clients are still opening their X11 servers to dog +
world. Does anyone know of a good way to shut this down or at least
verifiably limit the traffic to the server.
I have considered moving all the traffic to an encrypted VPN but
cannot find good documentation on this process.
David-
I haven't tried this, but the terminal kernels should be able to
use the
built-in Linux firewall iptables to block all but expected
traffic. You
may have to copy the iptables utils into $LTSP/i386 so they can be run
by the terminals. Once you get the rules you want (there are web
sites
that can build these for you), add a script to $LTSP/etc/rc.d and call
it by adding a line to lts.conf like this: RC_FILE=myscript.sh .
My next question is how you "moved the clients to encrypted
connections
based on FreeNX". Does LTSP come with a freenx client already
installed
now? Or do your clients log in to the terminal server and then run
freenx from the server to the remote server? I would be curious to
learn what heavy lifting you had to do to get freenx installed on the
terminal as a default client (like we already have with X11, rdesktop,
and telnet).
Finally, LTSP is not necessarily intended to be a secure traffic
solution, but a trusted LAN solution. Any time you have NFS, SMB, or
any non-ssh file sharing such as we use for LTSP (to run the
terminals),
you need to place some trust on your physical LAN. You could adopt a
fully encrypted solution for files and X11 traffic, but if you start
encrypting the X11 traffic using SSH, freenx, RDP, etc, you introduce
latency that can be felt by the user. It's not so bad when you use it
over the Internet/WAN, but it can be felt on a LAN versus an
unencrypted
X11 session.
-Todd
----------------------------------------------------------------------
---
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to
share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
