[Shorewall-users] Shorewall on a diskless machine (NFS root)

John Laur johnl at blurbco.com
Wed Jul 9 04:57:00 PDT 2003


I am running shorewall (and have been for more than a year at least) on
a diskless machine. The box boots via PXE and uses NFS for the root
partition. I recently upgraded from shorewall 1.2 to 1.4 to get some
extra functionality and I had to go through the steps of allowing
shorewall to not kill my NFS connection during stopping/starting the
firewall. As I know quite a bit more about configuring linux routing
internals than I did a year ago I was wondering if perhaps I am
inadvertently causing a problem by commenting out certain lines from
shorewall's "firewall" script to make my setup work and decided I ought
to ask about it. Here are my simple changes to make this work. 

In the "firewall" script (/usr/share/shorewall/firewall for me), in the
functions stop_firewall() and initialize_netfilter() I have commented
out these two lines (they appear once in each function):

#    setpolicy INPUT DROP
#    setpolicy OUTPUT DROP

I know what they do, but are they absolutely necessary here? Obviously I
lose connection to the NFS server when they are uncommented. Am I
leaving something open unintentionally by leaving them uncommented? Is
there a better way to prevent losing the NFS connection? As I said, this
has been working for a year or two without issues, but it may just be
something that is "tolerated" in my setup and not really proper. Could a
feature be implemented to detect NFS root setups and somehow keep
traffic flowing to/from the NFS server at all costs?

Thanks for any ideas,
John Laur

More information about the Shorewall-users mailing list