Shorewall users - Jul 2003 - Shorewall on a diskless machine (NFS root)

Hello,

I am running shorewall (and have been for more than a year at least) on
a diskless machine. The box boots via PXE and uses NFS for the root
partition. I recently upgraded from shorewall 1.2 to 1.4 to get some
extra functionality and I had to go through the steps of allowing
shorewall to not kill my NFS connection during stopping/starting the
firewall. As I know quite a bit more about configuring linux routing
internals than I did a year ago I was wondering if perhaps I am
inadvertently causing a problem by commenting out certain lines from
shorewall''s "firewall" script to make my setup work and
decided I ought
to ask about it. Here are my simple changes to make this work. 

In the "firewall" script (/usr/share/shorewall/firewall for me), in
the
functions stop_firewall() and initialize_netfilter() I have commented
out these two lines (they appear once in each function):

#    setpolicy INPUT DROP
#    setpolicy OUTPUT DROP

I know what they do, but are they absolutely necessary here? Obviously I
lose connection to the NFS server when they are uncommented. Am I
leaving something open unintentionally by leaving them uncommented? Is
there a better way to prevent losing the NFS connection? As I said, this
has been working for a year or two without issues, but it may just be
something that is "tolerated" in my setup and not really proper. Could
a
feature be implemented to detect NFS root setups and somehow keep
traffic flowing to/from the NFS server at all costs?

Thanks for any ideas,
John Laur

On Wed, 2003-07-09 at 01:57, John Laur wrote:
> 
> In the "firewall" script (/usr/share/shorewall/firewall for me),
in the
> functions stop_firewall() and initialize_netfilter() I have commented
> out these two lines (they appear once in each function):
> 
> #    setpolicy INPUT DROP
> #    setpolicy OUTPUT DROP
> 
> I know what they do, but are they absolutely necessary here?

Only if you care that your firewall is wide open except when it is fully
started.

> Obviously I
> lose connection to the NFS server when they are uncommented. Am I
> leaving something open unintentionally by leaving them uncommented? Is
> there a better way to prevent losing the NFS connection? As I said, this
> has been working for a year or two without issues, but it may just be
> something that is "tolerated" in my setup and not really proper.
Could a
> feature be implemented to detect NFS root setups and somehow keep
> traffic flowing to/from the NFS server at all costs?
> 
Some time ago I thought about such a feature but I decided that unless I
personally run a diskless firewall (which I''m not about to do), the
feature would have a high probability of being broken in some way in
every new release.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > #    setpolicy INPUT DROP
> > #    setpolicy OUTPUT DROP
> >
> > I know what they do, but are they absolutely necessary here?
> 
> Only if you care that your firewall is wide open except when it is
fully
> started.
OK, so for the 10 seconds or so it takes shorewall to come up or do a
restart, everything is open but once the script is done, then I am ok,
correct? I can live with this if that is the case. I would trust my
linux installation in an unfirewalled environment. If it leaves
everything wide open after startup, then I can see a problem...
> > something that is "tolerated" in my setup and not really
proper.
Could a
> > feature be implemented to detect NFS root setups and somehow keep
> > traffic flowing to/from the NFS server at all costs?
> >
> 
> Some time ago I thought about such a feature but I decided that unless
I
> personally run a diskless firewall (which I''m not about to do),
the
> feature would have a high probability of being broken in some way in
> every new release.
For those following this, I only today learned of the following project
that I may look at adapting for my purposes:

http://gate-bunker.p6.msu.ru/~berk/router.html

It is designed to be a full (at least in feel anyway) Debian
distribution that is run from ramdisk and bootstrapped from flash. You
can then save the entire system back to the flash with a simple command
kind of in line with the other floppy or flash based router projects. I
have a feeling it can be easily adapted for bootstrap from PXElinux/NFS
Root instead and would solve this problem. Still it may not work very
well on my hardware since I only have 64MB of ram in my net4501...

Thanks for the info,

John

On Wed, 2003-07-09 at 11:32, John Laur wrote:
> 
> OK, so for the 10 seconds or so it takes shorewall to come up or do a
> restart, everything is open but once the script is done, then I am ok,
> correct?
So long as you never do a "shorewall stop", yes.

> 
> For those following this, I only today learned of the following project
> that I may look at adapting for my purposes:
> 
> http://gate-bunker.p6.msu.ru/~berk/router.html
> 
> It is designed to be a full (at least in feel anyway) Debian
> distribution that is run from ramdisk and bootstrapped from flash. You
> can then save the entire system back to the flash with a simple command
> kind of in line with the other floppy or flash based router projects. I
> have a feeling it can be easily adapted for bootstrap from PXElinux/NFS
> Root instead and would solve this problem. Still it may not work very
> well on my hardware since I only have 64MB of ram in my net4501...
> 
Rather tight all right.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net