[TriLUG] Diskless Clients and Security - Followup Questions
Aaron S. Joyner
aaron at joyner.ws
Fri Jul 14 09:34:59 EDT 2006
Roy Vestal wrote:
> After further reading, I have questions on the security of NFS and the
> dhcpd.conf.
>
> NFS:
> I'm thinking of creating a subnet that is ONLY for these diskless
> clients and allowing ONLY this IP range to read my NFS OS share (ro of
> course). Sound right?
Yeah, you're pretty much only going to be able to lock down NFS reliably
(during pxe bootup, at least) by IP address. Having a dedicated range
for your clients is essentially a must.
> dhcpd.conf:
>
> In dhcpd.conf I want to create a range of IP's, say 192.168.1.10 -
> 192.168.1.50 and I want to tell dhcpd to use these for 50 specific
> MAC's. However, I do not want to reserve a specific IP for a specific
> MAC, I want the MAC to be assigned and IP out of the pool, in this
> example 192.168.1.10 - .50 . How would we go about this?
subnet 192.168.1.10 netmask 255.255.255.0 {
range dynamic-bootp 192.168.1.10 192.168.1.50;
allow bootp;
deny unknown-clients;
}
group {
host foo {
hardware ethernet 00:00:00:00:00:00;
}
That should do the trick. Repeat foo with appropriate hostname as many
times as desired.
Aaron S. Joyner
> TIA
>
> Roy Vestal wrote:
>
>> I need to setup a PXE env for diskless clients at work. We have an
>> internal network that is shared acrossed multiple departments here. I
>> want ONLY my departments diskless clients to connect to it. I'm
>> familiar with setting up the PXE, but I'm not 100% sure on securing
>> this.
>>
>> Has anyone a suggestion or two? I'm looking through the RHEL
>> documentation but no real security measures are discussed in detail.
>>
>> Also, we will eventually have over 100 clients on this network, not
>> necessarily at one time, but there will be over 100 clients that will
>> need to connect. I need a secure solution on sharing the OS they will
>> be using.
>>
>> Any suggestions would be greatly appreciated...
>>
>> Roy
>
More information about the TriLUG
mailing list