[prev in list] [next in list] [prev in thread] [next in thread]
List: opensuse-autoinstall
Subject: Secure Network-Based Install for SuSE 9.0...
From: Roy Butler <roy.butler () jpl ! nasa ! gov>
Date: 2004-05-06 0:18:44
Message-ID: 40998423.7020604 () jpl ! nasa ! gov
[Download RAW message or body]
Hi,
I'd like to create a secure network-based install for SuSE 9.0 with
AutoYaST using iptables. Currently, I have the following working quite
well on a private network:
- Server at 192.168.1.1 with SuSE 9.0 DVD contents NFS-exported and
AutoYast XML control file served via TFTP.
- Client connected through switch and booted from SuSE 9.0 CD1 with the
following arguments:
hostip=192.168.1.2 netmask=255.255.255.0 gateway=192.168.1.1
install=nfs://192.168.1.1/export/i386/SuSE/9.0/DVD
autoyast=tftp://192.168.1.1/test-1.xml
My goal is to move the server to a semi-public network and install
clients in a manner similar to the above, but prohibit any network
traffic to the client from anywhere but the server during the process.
I've read (most of) Anas' fine AutoYaST documentation, the Linux
Bootdisk HOWTO, and the kernel's initrd.txt file, as well as some of the
messages on this list. I've missed it if anyone has described how to do
this before, but here is my plan of attack:
- Copy SuSE 9.0 CD1 to hard drive.
- Gunzip and mount the CD's /boot/loader/initrd.
- Copy iptables.o to initrd's /modules directory and add an entry to the
[autoload] section of initrd's /modules/module.config file.
- Unmount and gzip the initrd image.
- Create a template entry for the long-winded boot arguments above in
the CD's /boot/loader/isolinux.cfg.
- Burn a custom SuSE 9.0 CD1 from the hard drive.
- Create a pre-script in my test-1.xml file which runs "iptables <some
rule>".
Has anyone done something similar who can offer advice/comments? I like
the extended boot arguments, because I can't rely on PXE or DHCP
everywhere. I'm not stuck on iptables, if there's a similar way to do
it otherwise. I have the sense that I may be working with the wrong
ramdisk (/boot/loader/initrd) since I found no /lib directory and an
incredibly sparse /bin directory there...
Much appreciated,
Roy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic