This page is specific to Ubuntu versions 8.04

If you find this information applicable to additional versions/releases, please edit this page and modify this header to reflect that. Please also include any necessary modifications for this information to apply to the additional versions.


Firewall Configuration for LTSP Server

Do You Need a Firewall?

Default Ubuntu installations with a 2-NIC configuration (1 dedicated to serving the thin-client subnet, and the other acting as a gateway to the rest of the physical network and/or the Internet) do not run any outward (internet-facing) services, so they have no ports open to the internet and do not require a firewall. The LTSP server provides services to its clients, which by default are supposed to run on a dedicated and unrouted interface and gets set up with addresses from a private IP range (eg: 192.168...) provided by the LTSP DHCP server. Since these are neither accessible nor visible from the outside world, they do not require firewall protection.

The main situation in which the clients might be routable and require a firewall (IP masquarading NAT at least) would be kiosk clients. If you don't know what kiosk clients are then you don't have them.

The default Ubuntu LTSP Server installation is perfectly safe without running its own firewall, and it is recommended that a firewall is not installed, especially during initial setup and testing. A small misconfiguration in a firewall could prevent LTSP working correctly, and the LTSP community will probably be unable or unwilling to help troubleshoot your installation.

However, if a firewall is required, perhaps because the server is also to run internet services such as a web server, then the firewall must be configured to enable the LTSP client services such as TFTP, DHCP, and NBD.

If you prefer a command line program, the recommended (and supported) app is ufw: the server guide.

I have used Guarddog from the Universe repository here. It is graphical firewall that is easy to setup for the necessary protocols. I could not get Firestarter to work with LTSP. If anyone knows how to persuade Firestarter to allow the TFTP protocol please add details. Guarddog depends on some KDE packages which will be installed with it.


Added by feinbein: I managed to use Firestarter quite easily by adding the following inbound-rules in the policy-tab:

  • tftp 69
  • samba 137-139 445
  • syslog 514
  • sieve 2000
  • unknown 9571

I am not sure what the last port (9571) is good for, I just found out by monitoring events in firestarter while booting a client.


Network Configuration

I used the standard setup with 2 Network Interfaces on the server, as shown here: UbuntuLTSP/LTSPWiring. The clients are attached to their own network, separate from any other LAN with its own DHCP server. This network is then attached to a separate network interface on the server, eg: a second Network Interface Card; with the first NIC being attached to the internet, possibly via a LAN which may have its own DHCP server.

NB: If, for initial test purposes, you try connecting a single client directly to the server (using one cable only) and it complains "No DHCP or proxyDHCP offers", you will probably find that connecting both server and client to a hub or switch will solve the problem.

Guarddog Configuration

As mentioned above, it is recommended that you get LTSP working and fully tested before installing a firewall.

Zone Tab

NB: The default and uneditable Local Zone refers to the server machine itself, not to attached clients.

Create New Zone: 'LTSP Clients'

Addresses: For initial testing with a single client you can just enter the IP assigned to, and displayed by the client when it boots, (in my case 192.168.0.250) but keep a look out for this automatically changing on future days. Better is to add the whole DHCP range as defined in /etc/ltsp/dhcpd.conf, but this must be expressed in 'CIDR' notation, in my case: 192.168.0.0/24. For more information about CIDR notation and an easy online calculator, see: http://www.subnet-calculator.com/cidr.php.

Connect to: Local Zone only

Local Zone (default)

Connect to: LTSP Clients zone, only.

Internet Zone (default)

Do not connect to LTSP Clients zone.

Protocol Tab

Internet Zone

Enable to Local zone

  • File Transfer: FTP, HTTPS, HTTP
  • Network: DNS
  • Mail: POP3, POP3S, SMTP, SMTP over SSL

Local Zone

Enable to Internet

  • Network: DNS

Enable to LTSP Clients

  • File Transfer: Legato Net Worker, NFS
  • Interactive: SSH, SUN RPC
  • Network: TFTP

LTSP Clients Zone

Enable to Local zone

  • File Transfer: NFS

Advanced Tab

DHCP: Enable DHCP Server on the LTSP clients interface

UbuntuLTSP/LTSPFirewall (last edited 2009-01-23 20:42:16 by lns)