Hi! From: "Giuseppe Patane'" <gpatane@iit.unict.it> > But, the server > containing the bootpd has two network cards and it is connected to the > external LAN, too. Some questions about this: > 1) Can somebody on the external LAN change the MAC address of a network > card and boot from my server as if it was a machine of mine ? He can change the MAC address easily, but he must know the addresses of your NICs. To boot from your Server, he also need the tftpd and the bootfile! And of course access to the root-nfs-server. > 2) To avoid the previous problem, can I prevent the bootpd from listening > to the card connected to the external LAN ? The question is, what is secure/should nobody know. Is it important, that knowbody knows, what MAC gets which IP? Is the kernel the clients receive via tftp standard or unusual? Do you want, that knowbody knows, what kernel the clients boot from? The most important thing: export nothing via nfs rw to machines not in your network. Make sure, that nobody can spoof this: The route to the IPs in your network should be static (or secured). So even if your machine tries to answer to spoofed IPs, the answer-packets will go to your network... But better is, your machine does not accept wrong IPs on the outer interface (I dont know, how rw-nfs works). But to close any hole (security by obscurity :) you can at least build up a firewall, which blocks portmap/nfsd/mountd/tftpd/bootpd for the outer interface. Ciao, Rob =========================================================================== This Mail was sent to netboot mailing list by: Robert Siemer <Robert.Siemer@gmx.de> To get help about this list, send a mail with 'help' as the only string in it's body to majordomo@baghira.han.de. If you have problems with this list, send a mail to netboot-owner@baghira.han.de.
For requests or suggestions regarding this mailing list archive please write to netboot@gkminix.han.de.