Looking to secure a SLES11 based iSCSI target... It has it's own dedicated LAN, but will also have an interface on the server LAN for management, etc.

I want to restrict it to only be available by the interface on the dedicated lan (i.e. physically secure) and implement some sort of authentication.

There doesn't appear to be anything in ietd.conf regarding the listening address.... which would seem the obvious place to me

However, there is a parameter for the daemon - ietd:
-a address, --address=address
Specify on which local address the server should listen, default
is any.


On the face of it would I'd need to modify the /etc/init.d/iscsitarget script and change

echo -n "Starting iSCSI target service: "
modprobe -q crc32c
modprobe iscsi_trgt
startproc -p $PIDFILE $DAEMON -a
rc_status -v

This looks a bit dodgy to me... patches, etc.
Can you think of anything neater, and frankly safer!?!

As for authentication.... Tried the 'incoming' password on the target but doesn't appear to actually stop authentication.... an iscsi_discovery from the iscsi initiator finds it ok, and a subsequent config via yast, with 'no authentication' specified pops it straight in....
Can see the luns fine!! What gives here?

As usual, thoughts and recommendations welcome!