Secure FOG's NFS share

Just wondering if there is a way to secure the NFS share on the FOG server. I can mount from just about any Linux system without credentials. I’m pretty sure there is an app for Windows that can mount NFS shares. Even though the images are in the IMG format and can’t exactly be browsed easily, anyone with the know-how and proper tools can download them and access the contents of the images.

@george1421 said in Possible to secure /var/www/* ipxe boot contents?:

apache stop file browsing

Yes I will place this here to save a search for anyone who stumbles upon this post.
https://www.vultr.com/docs/how-to-disable-directory-browsing-on-apache/

I have a couple of ipxe items and their contents reside in /var/www. I noticed that I can browse to those web shares without authentication. I know FOG needs them shared, but I thought the FOG ipxe kernel is already authenticated. Is there a way to block web browsing to these specific shares and only allow access via FOG pxe?

@sebastian-roth Where do I “use –recreate-CA and –recreate-keys keys” switches? Like this?
.\installfog.sh --recreate-CA --recreate-keys?

@george1421 Actually since I added a standard boot.wim file from a Windows install disc, pxe booting works as it did before we disabled PXE on the WDS server. Now its just a matter of finding the original custom boot.wim we had in place. Then we can move on to modifying the os.WDS-Boot parameters to make it work from FOG. If I remember correctly, FOG also works with the autoboot command. I remember I saw this when I was experimenting at the ipxe shell from a remote location when I loaded ipxe from USB. I typed autoboot and since the next-server was predefined as my FOG IP, it loaded FOG.

As far as finding the efi file, I did find it. I see this error now followed by two No such file or directory errors when attempting to load from the FOG menu:
tftp://wds ip/SMSBoot/x64/wdsmgfw.efi…Error 0x3d126083

Followed the link and it is “Error: Inappropriate I/O control operation”.

So while the script @george1421 made in that post didn’t work right and threw errors, I have FOG scripted to allow to drop to shell if an error occurs. Once I got into the shell, i just typed “autoboot” and hit enter. I then got prompted to press Enter to boot WDS. Then it stopped here. I think I still have to define a boot.wim on the WDS Properties. But I feel like I am getting closer. I could just throw in the “autoboot” command under the FOG’s ipxe item setting parameters.

I think when we disabled PXE on the WDS it also removed everything else that made it work. I think that includes the proxyDHCP service. Our prod DHCP server had our WDS server’s IP listed as DHCP Relay. But I don’t think we still need PXE if we chain from FOG.

@george1421 We just re-enabled PXE on the SCCM server so it takes a minute to reinstall the features. I was going to run Wireshark to see what is being requested from where. I did that testing ipxe in my lab and found out that ipxe requests autoexec.ipxe if you don’t embed or specify a menu file. Learn something new everyday.

Actually found the files but it keeps saying the same error message. I corrected the path in the script. We disabled the PXE service on the SCCM server, so I am wondering if that also disabled TFTP which is why the files can’t be found.

@george1421
Just tested it with my USB boot method to load ipxe in a vm, the menu item was present but when I tried to boot it, I got this error:

These are the parameters I have set as per the your post:
set next-server our SCCM server

iseq ${platform} efi && goto is_wds_efi || goto is_wds_bios

:is_wds_efi
set wds-bootfile \boot\x64\wdsmgfw.efi
goto wds_boot

:is_wds_bios
set wds-bootfile \boot\x64\wdsnbp.com

:wds_boot
set filename ${wds-bootfile}
set net0.dhcp/filename ${wds-bootfile}
set proxydhcp/filename ${wds-bootfile}
chain tftp://${next-server}${wds-bootfile} || goto Menu

After looking at the folder structure, I see a folder that our sysadmin setup that has a folder called Boot, but no file called “wdsmgfw.efi” exists.

@george1421 Would it be easier to re-run the FOG setup script and just change the FOG IP and disable DHCP? I could also define our existng DHCP server during the setup.

@george1421 Yes and there is also the nfs server that would have to bind to the other interface. Looking at the boot.php I see the “set fog-ip 10.0.0.10” string. I’d have to change any instance of “10.0.0.10” to my prod network interface IP address. Or is it not that simple?

EDIT: So NFS isn’t affected. I just mounted my FOG’s NFS share via prod interface.

@george1421 Yeah I’ll just keep the FOG server as the primary PXE server. Question though: Since my primary FOG server has two interfaces in use, one for imaging (offline imaging switch) the other for management (prod network), I’d have to first disable DHCP and I’d have to tell dnsmasq to serve tftp on the prod interface right?

@george1421 Well that I knew about SCCM. But after talking with my network team, they did not have option 66/67 set on the DHCP server. They only defined the SCCM server as a DHCP-Relay, no filenames or DHCP options set. So right there I knew something was different about how files were served from dnsmasq vs WDS netboot service. But yeah that post is more than just a start!

Now I could go that rote and add WDS to the FOG ipxe menu, OR be ambitious and build a “main” tftp server menu that can chain FOG and WDS. Thinking maybe a raspberry pi or something. But for now using the FOG to chain WDS is an excellent start.

@george1421 said in Idea: Two "next-servers" coexisting on the same vlan:

@brakcounty I know I worked this out just recently. Luckily I was able to find this port from the near past: https://forums.fogproject.org/post/146970

DUDE! Did that work for you?? That looks so simple and perfect!

And I did not know about the WDS netboot service, as I never really had access to a WDS box to see. I’m not the super-sysadmin at my job

I am wondering if it is possible for a FOG and SCCM server to both be available on the same VLAN. So my idea is to do the following:

Create an tftp server that loads an ipxe menu. On this menu, we will be met with two options: FOG and SCCM. So our DHCP server will tell pxe clients that this initial tftp server will load the menu.
Now I believe that ipxe can chain another tftp server and load files. So I am pretty sure that this can be done via menu scripting. Kind of like how FOG can have custom ipxe entries for stuff like PMagic and WinPE. What I am unsure of is how ipxe will handle sending clients to the respective servers for loading files. I know that booting FOG ipxe via USB works without the DHCP server specifying where the next-server is, because the bootx64.efi image already has the menu scripts in place that tell the client “OK the FOG server is here at 1.2.3.4, boot”.

What are your thoughts? Would be really cool to have SCCM and FOG because we use SCCM for our stock Windows image and we use FOG for department-specific customized Windows images.

I think that the DefaultMemeber is tied to the IP address of the NFS share. My primary FOG server has two network interfaces, one for imaging offline using DHCP service, and another for remote management. The primary does not show disk usage saying “Node offline” when viewing from a PC or vlan not on the imaging interface. My secondary only has one interface and I use the USB boot method for imaging, so only one network interface and I can see disk usage. My question is: Is there a way for the FOG Web UI to read disk usage from a different source instead of DefaultMemeber?

@george1421 said in Does FOG use or install the log4s?:

Again don’t listen to a dude on the internet prove it to yourself.

“Think for yourself, question authority.” -Tim Leary