David Kennel wrote: > I am piloting an LTSP based solution. Due to our security requirements > I have had to tweak the configuration quite a bit to harden the > system. I have moved the clients to encrypted connections based on > FreeNX but the clients are still opening their X11 servers to dog + > world. Does anyone know of a good way to shut this down or at least > verifiably limit the traffic to the server. > > I have considered moving all the traffic to an encrypted VPN but > cannot find good documentation on this process.
David- I haven't tried this, but the terminal kernels should be able to use the built-in Linux firewall iptables to block all but expected traffic. You may have to copy the iptables utils into $LTSP/i386 so they can be run by the terminals. Once you get the rules you want (there are web sites that can build these for you), add a script to $LTSP/etc/rc.d and call it by adding a line to lts.conf like this: RC_FILE=myscript.sh . My next question is how you "moved the clients to encrypted connections based on FreeNX". Does LTSP come with a freenx client already installed now? Or do your clients log in to the terminal server and then run freenx from the server to the remote server? I would be curious to learn what heavy lifting you had to do to get freenx installed on the terminal as a default client (like we already have with X11, rdesktop, and telnet). Finally, LTSP is not necessarily intended to be a secure traffic solution, but a trusted LAN solution. Any time you have NFS, SMB, or any non-ssh file sharing such as we use for LTSP (to run the terminals), you need to place some trust on your physical LAN. You could adopt a fully encrypted solution for files and X11 traffic, but if you start encrypting the X11 traffic using SSH, freenx, RDP, etc, you introduce latency that can be felt by the user. It's not so bad when you use it over the Internet/WAN, but it can be felt on a LAN versus an unencrypted X11 session. -Todd ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net